Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 23:24

General

  • Target

    MicrosoftWindowsServicesEtc/GetReady.exe

  • Size

    52KB

  • MD5

    57f3795953dafa8b5e2b24ba5bfad87f

  • SHA1

    47719bd600e7527c355dbdb053e3936379d1b405

  • SHA256

    5319958efc38ea81f61854eb9f6c8aee32394d4389e52fe5c1f7f7ef6b261725

  • SHA512

    172006e8deed2766e7fa71e34182b5539309ec8c2ac5f63285724ef8f59864e1159c618c0914eb05692df721794eb4726757b2ccf576f0c78a6567d807cbfb98

  • SSDEEP

    1536:Sn1KqRJ9x3jnIbslu8JFNDfIDIO40nToIfqqjw0:Sn1KUhrIbsTIl4YTBfqQ

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe
    "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\1DF3.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\System32\takeown.exe
        takeown /f taskmgr.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
      • C:\Windows\System32\icacls.exe
        icacls taskmgr.exe /granted "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:4816
      • C:\Windows\System32\takeown.exe
        takeown /f sethc.exe
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1164
      • C:\Windows\System32\icacls.exe
        icacls sethc.exe /granted "Admin":F
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3760
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1\1DF3.bat

      Filesize

      356B

      MD5

      fe81c1282a808b7a1d0a27d7cccaa624

      SHA1

      f6afc7b26ead8cdb51b11d59c6e68e5aab265bfa

      SHA256

      3e18de7065154144b54a2f7c179c27b3f27c3cda5871f472f452a8cfc3dc6791

      SHA512

      873e226360edc463dd753aedfec7ec60e0d8efac08652245709862b8bd9e6ae85eb6ea6f05d8d2c0ec1c8e7fc1bddeebc5037efcac1ceb5b1f099b49c0a93045