Overview
overview
8Static
static
3MicrosoftW...ll.bat
windows7-x64
1MicrosoftW...ll.bat
windows10-2004-x64
1MicrosoftW...nc.vbs
windows7-x64
3MicrosoftW...nc.vbs
windows10-2004-x64
7MicrosoftW...un.vbs
windows7-x64
3MicrosoftW...un.vbs
windows10-2004-x64
7MicrosoftW...dy.exe
windows7-x64
8MicrosoftW...dy.exe
windows10-2004-x64
8MicrosoftW...or.exe
windows7-x64
3MicrosoftW...or.exe
windows10-2004-x64
7MicrosoftW...ch.exe
windows7-x64
1MicrosoftW...ch.exe
windows10-2004-x64
1MicrosoftW...er.exe
windows7-x64
3MicrosoftW...er.exe
windows10-2004-x64
7MicrosoftW...ew.exe
windows7-x64
8MicrosoftW...ew.exe
windows10-2004-x64
8MicrosoftW...le.exe
windows7-x64
3MicrosoftW...le.exe
windows10-2004-x64
7MicrosoftW...od.exe
windows7-x64
1MicrosoftW...od.exe
windows10-2004-x64
1MicrosoftW...er.bat
windows7-x64
MicrosoftW...er.bat
windows10-2004-x64
MicrosoftW...32.exe
windows7-x64
1MicrosoftW...32.exe
windows10-2004-x64
1MicrosoftW...2s.exe
windows7-x64
4MicrosoftW...2s.exe
windows10-2004-x64
7MicrosoftW...le.vbs
windows7-x64
3MicrosoftW...le.vbs
windows10-2004-x64
7MicrosoftW...ec.vbs
windows7-x64
1MicrosoftW...ec.vbs
windows10-2004-x64
1MicrosoftW...en.vbs
windows7-x64
3MicrosoftW...en.vbs
windows10-2004-x64
7Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 23:24
Static task
static1
Behavioral task
behavioral1
Sample
MicrosoftWindowsServicesEtc/AppKill.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MicrosoftWindowsServicesEtc/AppKill.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
MicrosoftWindowsServicesEtc/CallFunc.vbs
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
MicrosoftWindowsServicesEtc/CallFunc.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
MicrosoftWindowsServicesEtc/DgzRun.vbs
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
MicrosoftWindowsServicesEtc/DgzRun.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
MicrosoftWindowsServicesEtc/GetReady.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
MicrosoftWindowsServicesEtc/GetReady.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
MicrosoftWindowsServicesEtc/Major.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
MicrosoftWindowsServicesEtc/Major.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
MicrosoftWindowsServicesEtc/NotMuch.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
MicrosoftWindowsServicesEtc/NotMuch.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
MicrosoftWindowsServicesEtc/RuntimeChecker.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
MicrosoftWindowsServicesEtc/RuntimeChecker.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
MicrosoftWindowsServicesEtc/WinScrew.exe
Resource
win7-20240215-en
Behavioral task
behavioral16
Sample
MicrosoftWindowsServicesEtc/WinScrew.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
MicrosoftWindowsServicesEtc/breakrule.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
MicrosoftWindowsServicesEtc/breakrule.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
MicrosoftWindowsServicesEtc/bsod.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
MicrosoftWindowsServicesEtc/bsod.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
MicrosoftWindowsServicesEtc/checker.bat
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
MicrosoftWindowsServicesEtc/checker.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
MicrosoftWindowsServicesEtc/data/eula32.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
MicrosoftWindowsServicesEtc/data/eula32.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
MicrosoftWindowsServicesEtc/data/runner32s.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
MicrosoftWindowsServicesEtc/data/runner32s.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
MicrosoftWindowsServicesEtc/example.vbs
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
MicrosoftWindowsServicesEtc/example.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
MicrosoftWindowsServicesEtc/fexec.vbs
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
MicrosoftWindowsServicesEtc/fexec.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
MicrosoftWindowsServicesEtc/healgen.vbs
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
MicrosoftWindowsServicesEtc/healgen.vbs
Resource
win10v2004-20240226-en
General
-
Target
MicrosoftWindowsServicesEtc/GetReady.exe
-
Size
52KB
-
MD5
57f3795953dafa8b5e2b24ba5bfad87f
-
SHA1
47719bd600e7527c355dbdb053e3936379d1b405
-
SHA256
5319958efc38ea81f61854eb9f6c8aee32394d4389e52fe5c1f7f7ef6b261725
-
SHA512
172006e8deed2766e7fa71e34182b5539309ec8c2ac5f63285724ef8f59864e1159c618c0914eb05692df721794eb4726757b2ccf576f0c78a6567d807cbfb98
-
SSDEEP
1536:Sn1KqRJ9x3jnIbslu8JFNDfIDIO40nToIfqqjw0:Sn1KUhrIbsTIl4YTBfqQ
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4580 takeown.exe 4816 icacls.exe 1164 takeown.exe 3760 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GetReady.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation GetReady.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4580 takeown.exe 4816 icacls.exe 1164 takeown.exe 3760 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
takeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 4580 takeown.exe Token: SeTakeOwnershipPrivilege 1164 takeown.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
GetReady.execmd.exedescription pid process target process PID 1716 wrote to memory of 4992 1716 GetReady.exe cmd.exe PID 1716 wrote to memory of 4992 1716 GetReady.exe cmd.exe PID 4992 wrote to memory of 4580 4992 cmd.exe takeown.exe PID 4992 wrote to memory of 4580 4992 cmd.exe takeown.exe PID 4992 wrote to memory of 4816 4992 cmd.exe icacls.exe PID 4992 wrote to memory of 4816 4992 cmd.exe icacls.exe PID 4992 wrote to memory of 1164 4992 cmd.exe takeown.exe PID 4992 wrote to memory of 1164 4992 cmd.exe takeown.exe PID 4992 wrote to memory of 3760 4992 cmd.exe icacls.exe PID 4992 wrote to memory of 3760 4992 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\1DF3.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\System32\takeown.exetakeown /f taskmgr.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Windows\System32\icacls.exeicacls taskmgr.exe /granted "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4816
-
-
C:\Windows\System32\takeown.exetakeown /f sethc.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\System32\icacls.exeicacls sethc.exe /granted "Admin":F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3760
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:3336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
356B
MD5fe81c1282a808b7a1d0a27d7cccaa624
SHA1f6afc7b26ead8cdb51b11d59c6e68e5aab265bfa
SHA2563e18de7065154144b54a2f7c179c27b3f27c3cda5871f472f452a8cfc3dc6791
SHA512873e226360edc463dd753aedfec7ec60e0d8efac08652245709862b8bd9e6ae85eb6ea6f05d8d2c0ec1c8e7fc1bddeebc5037efcac1ceb5b1f099b49c0a93045