Overview
overview
8Static
static
3MicrosoftW...ll.bat
windows7-x64
1MicrosoftW...ll.bat
windows10-2004-x64
1MicrosoftW...nc.vbs
windows7-x64
3MicrosoftW...nc.vbs
windows10-2004-x64
7MicrosoftW...un.vbs
windows7-x64
3MicrosoftW...un.vbs
windows10-2004-x64
7MicrosoftW...dy.exe
windows7-x64
8MicrosoftW...dy.exe
windows10-2004-x64
8MicrosoftW...or.exe
windows7-x64
3MicrosoftW...or.exe
windows10-2004-x64
7MicrosoftW...ch.exe
windows7-x64
1MicrosoftW...ch.exe
windows10-2004-x64
1MicrosoftW...er.exe
windows7-x64
3MicrosoftW...er.exe
windows10-2004-x64
7MicrosoftW...ew.exe
windows7-x64
8MicrosoftW...ew.exe
windows10-2004-x64
8MicrosoftW...le.exe
windows7-x64
3MicrosoftW...le.exe
windows10-2004-x64
7MicrosoftW...od.exe
windows7-x64
1MicrosoftW...od.exe
windows10-2004-x64
1MicrosoftW...er.bat
windows7-x64
MicrosoftW...er.bat
windows10-2004-x64
MicrosoftW...32.exe
windows7-x64
1MicrosoftW...32.exe
windows10-2004-x64
1MicrosoftW...2s.exe
windows7-x64
4MicrosoftW...2s.exe
windows10-2004-x64
7MicrosoftW...le.vbs
windows7-x64
3MicrosoftW...le.vbs
windows10-2004-x64
7MicrosoftW...ec.vbs
windows7-x64
1MicrosoftW...ec.vbs
windows10-2004-x64
1MicrosoftW...en.vbs
windows7-x64
3MicrosoftW...en.vbs
windows10-2004-x64
7Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
MicrosoftWindowsServicesEtc/AppKill.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MicrosoftWindowsServicesEtc/AppKill.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
MicrosoftWindowsServicesEtc/CallFunc.vbs
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
MicrosoftWindowsServicesEtc/CallFunc.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
MicrosoftWindowsServicesEtc/DgzRun.vbs
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
MicrosoftWindowsServicesEtc/DgzRun.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
MicrosoftWindowsServicesEtc/GetReady.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
MicrosoftWindowsServicesEtc/GetReady.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
MicrosoftWindowsServicesEtc/Major.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
MicrosoftWindowsServicesEtc/Major.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
MicrosoftWindowsServicesEtc/NotMuch.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
MicrosoftWindowsServicesEtc/NotMuch.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
MicrosoftWindowsServicesEtc/RuntimeChecker.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
MicrosoftWindowsServicesEtc/RuntimeChecker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
MicrosoftWindowsServicesEtc/WinScrew.exe
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
MicrosoftWindowsServicesEtc/WinScrew.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
MicrosoftWindowsServicesEtc/breakrule.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
MicrosoftWindowsServicesEtc/breakrule.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
MicrosoftWindowsServicesEtc/bsod.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
MicrosoftWindowsServicesEtc/bsod.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
MicrosoftWindowsServicesEtc/checker.bat
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
MicrosoftWindowsServicesEtc/checker.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
MicrosoftWindowsServicesEtc/data/eula32.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
MicrosoftWindowsServicesEtc/data/eula32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
MicrosoftWindowsServicesEtc/data/runner32s.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
MicrosoftWindowsServicesEtc/data/runner32s.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
MicrosoftWindowsServicesEtc/example.vbs
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
MicrosoftWindowsServicesEtc/example.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
MicrosoftWindowsServicesEtc/fexec.vbs
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
MicrosoftWindowsServicesEtc/fexec.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
MicrosoftWindowsServicesEtc/healgen.vbs
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
MicrosoftWindowsServicesEtc/healgen.vbs
Resource
win10v2004-20240226-en
General
-
Target
MicrosoftWindowsServicesEtc/WinScrew.exe
-
Size
52KB
-
MD5
1aaafedd9f259acca75708f4af10b5be
-
SHA1
f6b4ea28d304e1f9205c1c0b970d60ee989402f2
-
SHA256
429e01b0e06b02a55bafb1527629f8d4c5f64d9b21ac9f81484a3928fdce6dc9
-
SHA512
a995ebf4d142452aabb419f0cacfa5412d03532840cb08c37dd7c00001dee521bf9d0da66ac4346b07dffd91fe01fa3115fa05811acbd43d380320dca1be4aa8
-
SSDEEP
1536:Sn1KqRJ9x3jnIbslu8JFNDfIDIO40nToIfqFwr:Sn1KUhrIbsTIl4YTBfqa
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1624 icacls.exe 4612 takeown.exe 1208 icacls.exe 5088 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WinScrew.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation WinScrew.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4612 takeown.exe 1208 icacls.exe 5088 takeown.exe 1624 icacls.exe -
Drops file in System32 directory 1 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\sethc.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
takeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4612 takeown.exe Token: SeTakeOwnershipPrivilege 5088 takeown.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WinScrew.execmd.exedescription pid process target process PID 4380 wrote to memory of 64 4380 WinScrew.exe cmd.exe PID 4380 wrote to memory of 64 4380 WinScrew.exe cmd.exe PID 64 wrote to memory of 4612 64 cmd.exe takeown.exe PID 64 wrote to memory of 4612 64 cmd.exe takeown.exe PID 64 wrote to memory of 1208 64 cmd.exe icacls.exe PID 64 wrote to memory of 1208 64 cmd.exe icacls.exe PID 64 wrote to memory of 5088 64 cmd.exe takeown.exe PID 64 wrote to memory of 5088 64 cmd.exe takeown.exe PID 64 wrote to memory of 1624 64 cmd.exe icacls.exe PID 64 wrote to memory of 1624 64 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\3633.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\System32\takeown.exetakeown /f logonui.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\System32\icacls.exeicacls logonui.exe /granted "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1208
-
-
C:\Windows\System32\takeown.exetakeown /f sethc.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\System32\icacls.exeicacls sethc.exe /granted "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
347B
MD52d6137c014799e13eb4ed488b2fb6f24
SHA1ba8b8734a2fec8bd5d83fb9f82839be299842f83
SHA256e8e180570ec4e0aa25663250ace1d1eb45404ef6c25f5680f90391d6e30b7b0e
SHA51253afcd651e0daca461c20164536a541e0e48be2286bc4952494dc9eec1a23994f11430ce6f3c1dc28b90ba3b8a1d28446bd0d357bbc620243aa9cd6b35506c3c