999d43ee4c9a1ec38c0b00fc38abe0b29b13cc83983c6ee895cbb2768b29022d

Analysis

max time kernel
43s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Size

3.9MB
MD5

2746cf67ced0c91f1cefd3d137bd6a5c
SHA1

c42e2e0080ec2f357c7306754ea82b976bdc220c
SHA256

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff
SHA512

2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238
SSDEEP

98304:s7ZyplW12iRY7CWkdntsrBRAxQyvIYA+7THD:duLaCv0BeOyvIYA+Hj

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\5F6B244B = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exeservices.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 2 IoCs

Processes:

services.exeservices.exe

pid process

4724 services.exe
2996 services.exe
Loads dropped DLL 7 IoCs

Processes:

services.exe

pid process

2996 services.exe
2996 services.exe
2996 services.exe
2996 services.exe
2996 services.exe
2996 services.exe
2996 services.exe

pid	process
4724	services.exe
2996	services.exe

pid	process
2996	services.exe
2996	services.exe
2996	services.exe
2996	services.exe
2996	services.exe
2996	services.exe
2996	services.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\5F6B244B = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services and Controller app = "C:\\Users\\Admin\\AppData\\Local\\5F6B244B\\services.exe"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services and Controller app = "C:\\Users\\Admin\\AppData\\Local\\5F6B244B\\services.exe"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4320 schtasks.exe

pid	process
4320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exeservices.exe

pid	process
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe
4724	services.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exeservices.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Token: SeDebugPrivilege	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Token: SeDebugPrivilege	4724	services.exe
Token: SeDebugPrivilege	4724	services.exe
Token: SeBackupPrivilege	4840	vssvc.exe
Token: SeRestorePrivilege	4840	vssvc.exe
Token: SeAuditPrivilege	4840	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

services.exe

pid process

4724 services.exe

pid	process
4724	services.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.execmd.exeservices.exe

description	pid	process	target process
PID 2412 wrote to memory of 2340	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 2340	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 2340	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 632	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 632	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 632	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 2180	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 2180	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 2180	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 4960	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 4960	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 4960	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 1764	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 1764	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 1764	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 1296	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 1296	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 1296	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 2504	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 2504	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 2504	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 5100	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 5100	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 5100	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 1088	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 1088	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 1088	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 516	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 516	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 516	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 4320	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 4320	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 4320	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	schtasks.exe
PID 2412 wrote to memory of 4724	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	services.exe
PID 2412 wrote to memory of 4724	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	services.exe
PID 2412 wrote to memory of 4724	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	services.exe
PID 2412 wrote to memory of 3368	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	cmd.exe
PID 2412 wrote to memory of 3368	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	cmd.exe
PID 2412 wrote to memory of 3368	2412	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe	cmd.exe
PID 3368 wrote to memory of 4312	3368	cmd.exe	choice.exe
PID 3368 wrote to memory of 4312	3368	cmd.exe	choice.exe
PID 3368 wrote to memory of 4312	3368	cmd.exe	choice.exe
PID 4724 wrote to memory of 2996	4724	services.exe	services.exe
PID 4724 wrote to memory of 2996	4724	services.exe	services.exe
PID 4724 wrote to memory of 2996	4724	services.exe	services.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe
"C:\Users\Admin\AppData\Local\Temp\ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:2340

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:2180

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:4960

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:1764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:1296

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:2504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:5100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:1088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:516

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "Services and Controller app" /sc MINUTE /mo 3 /tr "C:\Users\Admin\AppData\Local\5F6B244B\services.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4320

C:\Users\Admin\AppData\Local\5F6B244B\services.exe
"C:\Users\Admin\AppData\Local\5F6B244B\services.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\5F6B244B\tor\services.exe
"C:\Users\Admin\AppData\Local\5F6B244B\tor\services.exe" -f "C:\Users\Admin\AppData\Local\5F6B244B\tor\torrc"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & del /Q /S "C:\Users\Admin\AppData\Local\Temp\ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5F6B244B\services.exe
Filesize
3.9MB

MD5
2746cf67ced0c91f1cefd3d137bd6a5c

SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c

SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff

SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\services.exe
Filesize
3.9MB

MD5
2746cf67ced0c91f1cefd3d137bd6a5c

SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c

SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff

SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\services.exe
Filesize
3.9MB

MD5
2746cf67ced0c91f1cefd3d137bd6a5c

SHA1
c42e2e0080ec2f357c7306754ea82b976bdc220c

SHA256
ba5ce65d728b5529fede411b5fb3b99e88a69c797e5bf8b89e18e42a9d6761ff

SHA512
2cad5e01ff55204ec0c30361a9db29a38ed4bc4eb20ae76c5984aa2cfac9d5fede4aee1981168be47b0f60e1c2f0e7f7b79adce62663f9ab3706ea3a05fb6238

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\LIBEAY32.dll
Filesize
3.1MB

MD5
3c20802fa7f36c8839c4f942b8d86f0d

SHA1
ab351fb48b1e3bded12836d8ccdb661a426ce8d8

SHA256
8a85673f24ae7a5cfe6faa03f786268b730326d95a254e86a7e84d3bf4d902bf

SHA512
1cb9bc2749ac496f13e77e11a9c134a445b287d1ad6f42eec9662d7873f771bedf0b60ea7607b735a0a21046a43b71ce9d6433d9889e7449f413418bc6498661

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\SSLEAY32.dll
Filesize
696KB

MD5
8ed681b5e737350b48b151968ce186ce

SHA1
16916adbd765b95676f5fdd98f39d24a9015f424

SHA256
1bafbdf42dc31d3cc336bb39c47631dde9a5af5a6465cc45bb7ae2d0065526af

SHA512
2493b5277890e34a903ac5eac064cdb500c6acbdf467429984d79ddc2ffe3f9b7cfb9daa349931749ad5103b9d5ed2f16466108def7ab492adf11af02bf40580

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\libeay32.dll
Filesize
3.1MB

MD5
3c20802fa7f36c8839c4f942b8d86f0d

SHA1
ab351fb48b1e3bded12836d8ccdb661a426ce8d8

SHA256
8a85673f24ae7a5cfe6faa03f786268b730326d95a254e86a7e84d3bf4d902bf

SHA512
1cb9bc2749ac496f13e77e11a9c134a445b287d1ad6f42eec9662d7873f771bedf0b60ea7607b735a0a21046a43b71ce9d6433d9889e7449f413418bc6498661

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\libeay32.dll
Filesize
3.1MB

MD5
3c20802fa7f36c8839c4f942b8d86f0d

SHA1
ab351fb48b1e3bded12836d8ccdb661a426ce8d8

SHA256
8a85673f24ae7a5cfe6faa03f786268b730326d95a254e86a7e84d3bf4d902bf

SHA512
1cb9bc2749ac496f13e77e11a9c134a445b287d1ad6f42eec9662d7873f771bedf0b60ea7607b735a0a21046a43b71ce9d6433d9889e7449f413418bc6498661

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\libevent-2-0-5.dll
Filesize
700KB

MD5
ae522c45a309dfa8f51513724a0e92ae

SHA1
aa8091b4261b8a478d11e851679f42044146dee8

SHA256
1bfc7a5ec4deccad431e611cd91f561e6db1937a1261f1ba47f657b79ae062ab

SHA512
ae2fff4e287bca9ca42fe05807fccc2c3e357fc9420c4a5f380ccc9ba249ffdeea13a75373882d8ee393723242942c1cac814b92523bf995a7cc56b1bda861c2

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\libevent-2-0-5.dll
Filesize
700KB

MD5
ae522c45a309dfa8f51513724a0e92ae

SHA1
aa8091b4261b8a478d11e851679f42044146dee8

SHA256
1bfc7a5ec4deccad431e611cd91f561e6db1937a1261f1ba47f657b79ae062ab

SHA512
ae2fff4e287bca9ca42fe05807fccc2c3e357fc9420c4a5f380ccc9ba249ffdeea13a75373882d8ee393723242942c1cac814b92523bf995a7cc56b1bda861c2

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\libgcc_s_sjlj-1.dll
Filesize
510KB

MD5
1c67fdd5b95084be91bf6f17229c01aa

SHA1
966810b47480695146cb1095227538dc3c2b16b8

SHA256
cc7293ab50e2b1d267d0dff676bbf8e54395ec199c76b03d6d14624cfb33004f

SHA512
5806868778953222dbacd22800155d64619ed8ff0cf6eb24113e3d56eb658a2b5245ade71f53103b65ea1eca24fb3a84814c658967fac34b414ceb77577c2f71

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\libgcc_s_sjlj-1.dll
Filesize
510KB

MD5
1c67fdd5b95084be91bf6f17229c01aa

SHA1
966810b47480695146cb1095227538dc3c2b16b8

SHA256
cc7293ab50e2b1d267d0dff676bbf8e54395ec199c76b03d6d14624cfb33004f

SHA512
5806868778953222dbacd22800155d64619ed8ff0cf6eb24113e3d56eb658a2b5245ade71f53103b65ea1eca24fb3a84814c658967fac34b414ceb77577c2f71

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\libssp-0.dll
Filesize
90KB

MD5
762dd637e8cc3f5a36306ed48e88088a

SHA1
feb85588dbafac9b455bab51ff319fc47e1543f9

SHA256
8e09c794b8611e07a9a61b7d72d20947c42623e20838b02dce6edd8a0df85481

SHA512
5abe8c729889bab9c9c925d7e7e1989ea72d461bdf6eae31d60b195c346c54a84339787c67be1e9411873db10cd7cee5a2382a1406842a72069a6e8fe81656d4

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\libssp-0.dll
Filesize
90KB

MD5
762dd637e8cc3f5a36306ed48e88088a

SHA1
feb85588dbafac9b455bab51ff319fc47e1543f9

SHA256
8e09c794b8611e07a9a61b7d72d20947c42623e20838b02dce6edd8a0df85481

SHA512
5abe8c729889bab9c9c925d7e7e1989ea72d461bdf6eae31d60b195c346c54a84339787c67be1e9411873db10cd7cee5a2382a1406842a72069a6e8fe81656d4

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\services.exe
Filesize
3.5MB

MD5
833cb6a4a90e7b3a1caaedfa6d26a04f

SHA1
41dc9078c6cf2c5e49f507f64876b414d7318348

SHA256
fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891

SHA512
60c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\services.exe
Filesize
3.5MB

MD5
833cb6a4a90e7b3a1caaedfa6d26a04f

SHA1
41dc9078c6cf2c5e49f507f64876b414d7318348

SHA256
fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891

SHA512
60c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\services.exe
Filesize
3.5MB

MD5
833cb6a4a90e7b3a1caaedfa6d26a04f

SHA1
41dc9078c6cf2c5e49f507f64876b414d7318348

SHA256
fae586e75bf3c71b70a5770550823765e0a595ab64ce572743a2e3e00031c891

SHA512
60c139af6ffa46c7aef082d307639838c7baa4dbbd6bdf49635563e4867ccc0175e118b0bde783785063832755ccbbb01a433000fac1af70fd754befcf179eeb

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\ssleay32.dll
Filesize
696KB

MD5
8ed681b5e737350b48b151968ce186ce

SHA1
16916adbd765b95676f5fdd98f39d24a9015f424

SHA256
1bafbdf42dc31d3cc336bb39c47631dde9a5af5a6465cc45bb7ae2d0065526af

SHA512
2493b5277890e34a903ac5eac064cdb500c6acbdf467429984d79ddc2ffe3f9b7cfb9daa349931749ad5103b9d5ed2f16466108def7ab492adf11af02bf40580

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\zlib1.dll
Filesize
105KB

MD5
76615cf23161037c359407127b3ea95f

SHA1
feb5945d87db52423bfa413fe2696c076c544ef0

SHA256
daf91e9b6190b88c39fbc92d46cac32d05eba28d0a5d1fd38f2c66f1fce96be9

SHA512
6586ceca60d661dbc4e983e6271a3d06ab9ad55a9fb24b234f1ebab22af5678f583b3b7b5d42e2808bdcfa341c472e71783e04e5ea3da26bb1738c2153e64469

Download Submit
C:\Users\Admin\AppData\Local\5F6B244B\tor\zlib1.dll
Filesize
105KB

MD5
76615cf23161037c359407127b3ea95f

SHA1
feb5945d87db52423bfa413fe2696c076c544ef0

SHA256
daf91e9b6190b88c39fbc92d46cac32d05eba28d0a5d1fd38f2c66f1fce96be9

SHA512
6586ceca60d661dbc4e983e6271a3d06ab9ad55a9fb24b234f1ebab22af5678f583b3b7b5d42e2808bdcfa341c472e71783e04e5ea3da26bb1738c2153e64469

Download Submit
memory/2412-5-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/2412-1-0x0000000000C40000-0x0000000001020000-memory.dmp

Filesize
3.9MB

Download
memory/2412-2-0x0000000005A80000-0x0000000005A90000-memory.dmp

Filesize
64KB

Download
memory/2412-0-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2412-3-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/2412-4-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2412-19-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2996-55-0x000000006F750000-0x000000006F772000-memory.dmp

Filesize
136KB

Download
memory/2996-59-0x000000006F400000-0x000000006F61E000-memory.dmp

Filesize
2.1MB

Download
memory/2996-62-0x000000006F6A0000-0x000000006F722000-memory.dmp

Filesize
520KB

Download
memory/2996-61-0x000000006F6A0000-0x000000006F722000-memory.dmp

Filesize
520KB

Download
memory/2996-58-0x000000006F780000-0x000000006F802000-memory.dmp

Filesize
520KB

Download
memory/2996-60-0x000000006F400000-0x000000006F61E000-memory.dmp

Filesize
2.1MB

Download
memory/2996-56-0x000000006F750000-0x000000006F772000-memory.dmp

Filesize
136KB

Download
memory/4724-24-0x000000000B460000-0x000000000B4F2000-memory.dmp

Filesize
584KB

Download
memory/4724-40-0x0000000007530000-0x000000000753A000-memory.dmp

Filesize
40KB

Download
memory/4724-23-0x0000000009270000-0x0000000009814000-memory.dmp

Filesize
5.6MB

Download
memory/4724-17-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-22-0x0000000006550000-0x000000000655A000-memory.dmp

Filesize
40KB

Download
memory/4724-21-0x000000000A820000-0x000000000B140000-memory.dmp

Filesize
9.1MB

Download
memory/4724-20-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download