Overview

overview

8

Static

static

3

sysran-uni...er.exe

windows7-x64

8

sysran-uni...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    22/09/2023, 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sysran-uninstaller.exe

  • Size

    14KB

  • MD5

    0ae3f7173c12426eb46648e16973c0cc

  • SHA1

    e6f564a0550cb9e8379419b27d19e2679d589920

  • SHA256

    d53f259612e67e72889a97f32e6ac4899e9dacc629cd2da0e89714938e000255

  • SHA512

    b1e8084487510aab47726ea08f2e7e8fadedd320926a4c4420a4f8c50876c8e231da05f9f690183487b983139a2c1236535f5eba308b90a170b2ccfa24409a78

  • SSDEEP

    384:cIDtF5/TAFI2Dn2FoeU5X9BfgJn3vLcA0:JBAXroEt91ghX0

Score
8/10

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\sysran-uninstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\sysran-uninstaller.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\system32\reg.exe
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /f
        3⤵
          PID:2700
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "GoogleUpdateTaskMachineQC"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2020
        • C:\Windows\system32\schtasks.exe
          schtasks /delete /f /tn "GoogleUpdateTaskMachineQC"
          3⤵
            PID:2704
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg copy "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /s /f & reg copy "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /s /f & reg copy "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /s /f & reg copy "HKLM\SYSTEM\CurrentControlSet\Services\BITS_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\BITS" /s /f & reg copy "HKLM\SYSTEM\CurrentControlSet\Services\dosvc_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /s /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc_bkp" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc_bkp" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv_bkp" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BITS_bkp" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc_bkp" /f & sc start UsoSvc & sc start WaaSMedicSvc & sc start wuauserv & sc start bits & sc start dosvc
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\system32\reg.exe
            reg copy "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /s /f
            3⤵
              PID:2744
            • C:\Windows\system32\reg.exe
              reg copy "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /s /f
              3⤵
                PID:2728
              • C:\Windows\system32\reg.exe
                reg copy "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /s /f
                3⤵
                  PID:2732
                • C:\Windows\system32\reg.exe
                  reg copy "HKLM\SYSTEM\CurrentControlSet\Services\BITS_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\BITS" /s /f
                  3⤵
                    PID:2500
                  • C:\Windows\system32\reg.exe
                    reg copy "HKLM\SYSTEM\CurrentControlSet\Services\dosvc_bkp" "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /s /f
                    3⤵
                      PID:1288
                    • C:\Windows\system32\reg.exe
                      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc_bkp" /f
                      3⤵
                        PID:2960
                      • C:\Windows\system32\reg.exe
                        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc_bkp" /f
                        3⤵
                          PID:2612
                        • C:\Windows\system32\reg.exe
                          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv_bkp" /f
                          3⤵
                            PID:2788
                          • C:\Windows\system32\reg.exe
                            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc_bkp" /f
                            3⤵
                              PID:2940
                            • C:\Windows\system32\reg.exe
                              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\BITS_bkp" /f
                              3⤵
                                PID:2520
                              • C:\Windows\system32\sc.exe
                                sc start UsoSvc
                                3⤵
                                • Launches sc.exe
                                PID:2824
                              • C:\Windows\system32\sc.exe
                                sc start wuauserv
                                3⤵
                                • Launches sc.exe
                                PID:2632
                              • C:\Windows\system32\sc.exe
                                sc start WaaSMedicSvc
                                3⤵
                                • Launches sc.exe
                                PID:1724
                              • C:\Windows\system32\sc.exe
                                sc start dosvc
                                3⤵
                                • Launches sc.exe
                                PID:2608
                              • C:\Windows\system32\sc.exe
                                sc start bits
                                3⤵
                                • Launches sc.exe
                                PID:2660

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/2364-0-0x000000013F350000-0x000000013F358000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/2364-1-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2364-2-0x0000000002230000-0x00000000022B0000-memory.dmp

                            Filesize

                            512KB

                            Download

                          • memory/2364-4-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

                            Filesize

                            9.9MB

                            Download