Analysis Overview
SHA256
f30ea0f7276100d02319bee64445888af5d784eb12a962ea88f99d2ae4137897
Threat Level: Likely malicious
The file Individual Components.zip was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Checks computer location settings
Modifies file permissions
Drops file in System32 directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 23:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
117s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2076 wrote to memory of 1716 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 2076 wrote to memory of 1716 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 2076 wrote to memory of 1716 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\DgzRun.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\588C.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"
C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
C:\Windows\System32\icacls.exe
icacls taskmgr.exe /granted "Admin":F
C:\Windows\System32\takeown.exe
takeown /f sethc.exe
C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F
Network
Files
C:\Users\Admin\AppData\Local\Temp\1\588C.bat
| MD5 | fe81c1282a808b7a1d0a27d7cccaa624 |
| SHA1 | f6afc7b26ead8cdb51b11d59c6e68e5aab265bfa |
| SHA256 | 3e18de7065154144b54a2f7c179c27b3f27c3cda5871f472f452a8cfc3dc6791 |
| SHA512 | 873e226360edc463dd753aedfec7ec60e0d8efac08652245709862b8bd9e6ae85eb6ea6f05d8d2c0ec1c8e7fc1bddeebc5037efcac1ceb5b1f099b49c0a93045 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240215-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\sethc.exe | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\1017.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"
C:\Windows\System32\takeown.exe
takeown /f logonui.exe
C:\Windows\System32\icacls.exe
icacls logonui.exe /granted "Admin":F
C:\Windows\System32\takeown.exe
takeown /f sethc.exe
C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F
Network
Files
C:\Users\Admin\AppData\Local\Temp\1\1017.bat
| MD5 | 2d6137c014799e13eb4ed488b2fb6f24 |
| SHA1 | ba8b8734a2fec8bd5d83fb9f82839be299842f83 |
| SHA256 | e8e180570ec4e0aa25663250ace1d1eb45404ef6c25f5680f90391d6e30b7b0e |
| SHA512 | 53afcd651e0daca461c20164536a541e0e48be2286bc4952494dc9eec1a23994f11430ce6f3c1dc28b90ba3b8a1d28446bd0d357bbc620243aa9cd6b35506c3c |
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\sethc.exe | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\3633.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"
C:\Windows\System32\takeown.exe
takeown /f logonui.exe
C:\Windows\System32\icacls.exe
icacls logonui.exe /granted "Admin":F
C:\Windows\System32\takeown.exe
takeown /f sethc.exe
C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1\3633.bat
| MD5 | 2d6137c014799e13eb4ed488b2fb6f24 |
| SHA1 | ba8b8734a2fec8bd5d83fb9f82839be299842f83 |
| SHA256 | e8e180570ec4e0aa25663250ace1d1eb45404ef6c25f5680f90391d6e30b7b0e |
| SHA512 | 53afcd651e0daca461c20164536a541e0e48be2286bc4952494dc9eec1a23994f11430ce6f3c1dc28b90ba3b8a1d28446bd0d357bbc620243aa9cd6b35506c3c |
Analysis: behavioral31
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240220-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2028 wrote to memory of 3020 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 2028 wrote to memory of 3020 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 2028 wrote to memory of 3020 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\healgen.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
123s
Max time network
127s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2840 wrote to memory of 4884 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 2840 wrote to memory of 4884 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\healgen.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
160s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1988 wrote to memory of 4284 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1988 wrote to memory of 4284 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\DgzRun.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3436 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe | C:\Windows\system32\wscript.exe |
| PID 3436 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4110.tmp\4111.vbs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\4110.tmp\4111.vbs
| MD5 | 2609fde7a9604c73be5083e4bcfa0e20 |
| SHA1 | 068c89f703fb11663143b9927f2a0c9f9f59c0e3 |
| SHA256 | 17d014cb4abbaced3acce9b6d7a1b595cd6e2dd814e41f06ceddcdc08e93eebe |
| SHA512 | 439fee7cc198cb3fef4ef14693141e52c305579a4ff2da0842323f57dcffade03f3b01ac288080fed423511937a4c1e2080f5a79f967a963fe34253f541824cb |
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:27
Platform
win10v2004-20240226-en
Max time kernel
37s
Max time network
39s
Command Line
Signatures
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "109" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 392 wrote to memory of 4268 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wscript.exe |
| PID 392 wrote to memory of 4268 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wscript.exe |
| PID 392 wrote to memory of 3512 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\shutdown.exe |
| PID 392 wrote to memory of 3512 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\shutdown.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\checker.bat"
C:\Windows\system32\wscript.exe
wscript.exe callfunc.vbs
C:\Windows\system32\shutdown.exe
shutdown -r -t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39fa855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:30
Platform
win10v2004-20240226-en
Max time kernel
120s
Max time network
206s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/2304-0-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/2304-1-0x0000000000900000-0x0000000000A3C000-memory.dmp
memory/2304-2-0x0000000005910000-0x0000000005EB4000-memory.dmp
memory/2304-3-0x0000000005360000-0x00000000053F2000-memory.dmp
memory/2304-4-0x0000000005510000-0x0000000005520000-memory.dmp
memory/2304-5-0x00000000052F0000-0x00000000052FA000-memory.dmp
memory/2304-6-0x0000000074EC0000-0x0000000075670000-memory.dmp
memory/2304-7-0x0000000005510000-0x0000000005520000-memory.dmp
memory/2304-8-0x0000000005510000-0x0000000005520000-memory.dmp
memory/2304-9-0x0000000005510000-0x0000000005520000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
120s
Max time network
133s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2816 wrote to memory of 2544 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 2816 wrote to memory of 2544 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 2816 wrote to memory of 2544 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\example.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\fexec.vbs"
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
122s
Max time network
130s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe"
Network
Files
memory/2256-0-0x0000000000DC0000-0x0000000000EFC000-memory.dmp
memory/2256-1-0x0000000074950000-0x000000007503E000-memory.dmp
memory/2256-2-0x0000000004E00000-0x0000000004E40000-memory.dmp
memory/2256-3-0x0000000004E00000-0x0000000004E40000-memory.dmp
memory/2256-4-0x0000000074950000-0x000000007503E000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
160s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\MicrosoftWindowsServicesEtc\NoBreak.xjs | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 692 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe | C:\Windows\system32\wscript.exe |
| PID 692 wrote to memory of 1460 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\7AFC.tmp\7AFD.vbs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7AFC.tmp\7AFD.vbs
| MD5 | 5f427dc44f33906509423d24fa0590c0 |
| SHA1 | b896f7667381a594d3751e05f258925b81c231c0 |
| SHA256 | 9aae0707b1d5d3b7ed3bf5cc8fbb530aebd195e3e2f18312f3f7f1aa43e031b4 |
| SHA512 | bd28c386772062ef945f24c8ad7a25f158856af36e31d2c9b14674cedfd34b4f48ed531cd40a7eb291384d83665ffe154f0786c1a7ee1616256cf30125120961 |
Analysis: behavioral28
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3540 wrote to memory of 2212 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 3540 wrote to memory of 2212 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\example.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 52.111.229.19:443 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
116s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 532 wrote to memory of 1344 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe |
| PID 532 wrote to memory of 1344 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe |
| PID 532 wrote to memory of 1344 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe |
| PID 1344 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe | C:\Windows\system32\cmd.exe |
| PID 1344 wrote to memory of 3936 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\CallFunc.vbs"
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\3DC4.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1\3DC4.bat
| MD5 | 0db153eefb4d51d0f0b699ea1d97b98d |
| SHA1 | abd0cc67716a9a3e6b0838638011d0594d329935 |
| SHA256 | f695721ea49576dc9b10b2d3c6ba89e8880b9a330b471e89800d014cb45de210 |
| SHA512 | 057edee55b797b2349b8f59e89c819ad868d773f7f58a4b1c26aac5bb04f783708127cd18af51f074f838498a3e3d96d143ad285c2cc7e4e4ad5e6973d9a4a10 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
91s
Max time network
119s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1576 wrote to memory of 3792 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe | C:\Windows\system32\wscript.exe |
| PID 1576 wrote to memory of 3792 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3C5D.tmp\3C5E.vbs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3C5D.tmp\3C5E.vbs
| MD5 | 9192fd494155eab424110765c751559e |
| SHA1 | b54fcc1e29617b3eee1c7bb215c048498881b641 |
| SHA256 | cbd3b0f294e8f11592a3ad80d1070d81746f806a48183b93c345251422ccbf0d |
| SHA512 | b8c48916535f3721e7f47be6af671765c3befefcd407c6ea5fabcf9ada119747408d662f61fb436f98a7c33050b6674da54dddf25e683429204a96555ec6e801 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
129s
Max time network
162s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1588 wrote to memory of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe | C:\Windows\system32\wscript.exe |
| PID 1588 wrote to memory of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\ABA1.tmp\ABA2.vbs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ABA1.tmp\ABA2.vbs
| MD5 | fe44b78a465853c0ac0744c6ab05ea40 |
| SHA1 | f32dacd91b9547fce9a8a2846a4e17c33295aab3 |
| SHA256 | 989d947c51c878bcefecb53d867a3c182c2d67129a87a5f6773eb6ef2bbf9b2e |
| SHA512 | 6b945e16786833c2e2e9867315b8859c413687fc72d4c8576b9c0a1aed2dc65249468317dd49f2ecf777e27c9969b7a7abc72b4d9b7c182dc7999051377515db |
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe"
Network
Files
memory/2084-1-0x0000000074BF0000-0x00000000752DE000-memory.dmp
memory/2084-0-0x0000000000F30000-0x0000000001070000-memory.dmp
memory/2084-2-0x0000000004AA0000-0x0000000004AE0000-memory.dmp
memory/2084-3-0x0000000074BF0000-0x00000000752DE000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
121s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\CallFunc.vbs"
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\8259.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\1\8259.bat
| MD5 | 0db153eefb4d51d0f0b699ea1d97b98d |
| SHA1 | abd0cc67716a9a3e6b0838638011d0594d329935 |
| SHA256 | f695721ea49576dc9b10b2d3c6ba89e8880b9a330b471e89800d014cb45de210 |
| SHA512 | 057edee55b797b2349b8f59e89c819ad868d773f7f58a4b1c26aac5bb04f783708127cd18af51f074f838498a3e3d96d143ad285c2cc7e4e4ad5e6973d9a4a10 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240220-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2500 wrote to memory of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe | C:\Windows\system32\wscript.exe |
| PID 2500 wrote to memory of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe | C:\Windows\system32\wscript.exe |
| PID 2500 wrote to memory of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe | C:\Windows\system32\wscript.exe |
| PID 2500 wrote to memory of 1320 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E82.tmp\E83.vbs
Network
Files
C:\Users\Admin\AppData\Local\Temp\E82.tmp\E83.vbs
| MD5 | 2609fde7a9604c73be5083e4bcfa0e20 |
| SHA1 | 068c89f703fb11663143b9927f2a0c9f9f59c0e3 |
| SHA256 | 17d014cb4abbaced3acce9b6d7a1b595cd6e2dd814e41f06ceddcdc08e93eebe |
| SHA512 | 439fee7cc198cb3fef4ef14693141e52c305579a4ff2da0842323f57dcffade03f3b01ac288080fed423511937a4c1e2080f5a79f967a963fe34253f541824cb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
159s
Command Line
Signatures
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\AppKill.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im opera.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im mspaint.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im calc.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessExplorer.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessHacker.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im iexplore.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im notepad.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im yandex.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im browser.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im eset.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im protogent.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im regedit
C:\Windows\system32\taskkill.exe
taskkill /f /im rundll32.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im rundll.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im dllhost.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im superaltf4.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im microsoftedge.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im mrsmjrgui.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im yandex.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\1DF3.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"
C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
C:\Windows\System32\icacls.exe
icacls taskmgr.exe /granted "Admin":F
C:\Windows\System32\takeown.exe
takeown /f sethc.exe
C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1\1DF3.bat
| MD5 | fe81c1282a808b7a1d0a27d7cccaa624 |
| SHA1 | f6afc7b26ead8cdb51b11d59c6e68e5aab265bfa |
| SHA256 | 3e18de7065154144b54a2f7c179c27b3f27c3cda5871f472f452a8cfc3dc6791 |
| SHA512 | 873e226360edc463dd753aedfec7ec60e0d8efac08652245709862b8bd9e6ae85eb6ea6f05d8d2c0ec1c8e7fc1bddeebc5037efcac1ceb5b1f099b49c0a93045 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:26
Platform
win7-20240221-en
Max time kernel
10s
Max time network
19s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wscript.exe |
| PID 1936 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wscript.exe |
| PID 1936 wrote to memory of 2836 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\wscript.exe |
| PID 1936 wrote to memory of 2624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\shutdown.exe |
| PID 1936 wrote to memory of 2624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\shutdown.exe |
| PID 1936 wrote to memory of 2624 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\shutdown.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\checker.bat"
C:\Windows\system32\wscript.exe
wscript.exe callfunc.vbs
C:\Windows\system32\shutdown.exe
shutdown -r -t 00
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
memory/2620-0-0x0000000002B00000-0x0000000002B01000-memory.dmp
memory/2488-1-0x0000000002760000-0x0000000002761000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
118s
Max time network
128s
Command Line
Signatures
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\MicrosoftWindowsServicesEtc\NoBreak.xjs | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2860 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe | C:\Windows\system32\wscript.exe |
| PID 2860 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe | C:\Windows\system32\wscript.exe |
| PID 2860 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe | C:\Windows\system32\wscript.exe |
| PID 2860 wrote to memory of 2928 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5AEC.tmp\5AED.vbs
Network
Files
C:\Users\Admin\AppData\Local\Temp\5AEC.tmp\5AED.vbs
| MD5 | 5f427dc44f33906509423d24fa0590c0 |
| SHA1 | b896f7667381a594d3751e05f258925b81c231c0 |
| SHA256 | 9aae0707b1d5d3b7ed3bf5cc8fbb530aebd195e3e2f18312f3f7f1aa43e031b4 |
| SHA512 | bd28c386772062ef945f24c8ad7a25f158856af36e31d2c9b14674cedfd34b4f48ed531cd40a7eb291384d83665ffe154f0786c1a7ee1616256cf30125120961 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.16.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
memory/4176-0-0x00000000744E0000-0x0000000074C90000-memory.dmp
memory/4176-1-0x0000000000820000-0x0000000000960000-memory.dmp
memory/4176-2-0x0000000005800000-0x0000000005DA4000-memory.dmp
memory/4176-3-0x0000000005340000-0x00000000053D2000-memory.dmp
memory/4176-4-0x0000000005480000-0x0000000005490000-memory.dmp
memory/4176-5-0x00000000053F0000-0x00000000053FA000-memory.dmp
memory/4176-6-0x0000000005480000-0x0000000005490000-memory.dmp
memory/4176-8-0x00000000744E0000-0x0000000074C90000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\fexec.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\AppKill.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im opera.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im mspaint.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im calc.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessExplorer.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ProcessHacker.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im iexplore.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im notepad.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im yandex.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im browser.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im eset.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im protogent.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im regedit
C:\Windows\system32\taskkill.exe
taskkill /f /im rundll32.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im rundll.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im dllhost.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im superaltf4.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im microsoftedge.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im mrsmjrgui.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im yandex.exe
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1736 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe | C:\Windows\system32\wscript.exe |
| PID 1736 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe | C:\Windows\system32\wscript.exe |
| PID 1736 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe | C:\Windows\system32\wscript.exe |
| PID 1736 wrote to memory of 2268 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5B1B.tmp\5B1C.vbs
Network
Files
C:\Users\Admin\AppData\Local\Temp\5B1B.tmp\5B1C.vbs
| MD5 | 9192fd494155eab424110765c751559e |
| SHA1 | b54fcc1e29617b3eee1c7bb215c048498881b641 |
| SHA256 | cbd3b0f294e8f11592a3ad80d1070d81746f806a48183b93c345251422ccbf0d |
| SHA512 | b8c48916535f3721e7f47be6af671765c3befefcd407c6ea5fabcf9ada119747408d662f61fb436f98a7c33050b6674da54dddf25e683429204a96555ec6e801 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240215-en
Max time kernel
150s
Max time network
119s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe"
Network
Files
memory/1636-0-0x00000000012E0000-0x0000000001304000-memory.dmp
memory/1636-1-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/1636-2-0x0000000004B90000-0x0000000004BD0000-memory.dmp
memory/1636-3-0x0000000004B90000-0x0000000004BD0000-memory.dmp
memory/1636-4-0x0000000004B90000-0x0000000004BD0000-memory.dmp
memory/1636-5-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-6-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-7-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-8-0x00000000744B0000-0x0000000074B9E000-memory.dmp
memory/1636-10-0x0000000004B90000-0x0000000004BD0000-memory.dmp
memory/1636-9-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-11-0x0000000004B90000-0x0000000004BD0000-memory.dmp
memory/1636-12-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-13-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-14-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-15-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-16-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-17-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-18-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-19-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-20-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-21-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-22-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-23-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-24-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-25-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-26-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-27-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-28-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-29-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-30-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-31-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-32-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-33-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-34-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-35-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-36-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-37-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-38-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-39-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-40-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-41-0x000000000E430000-0x000000000E530000-memory.dmp
memory/1636-42-0x000000000E430000-0x000000000E530000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
129s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1396-0-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1396-1-0x0000000074ED0000-0x0000000075680000-memory.dmp
memory/1396-2-0x0000000005310000-0x00000000058B4000-memory.dmp
memory/1396-3-0x0000000004E40000-0x0000000004ED2000-memory.dmp
memory/1396-4-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-5-0x0000000004E30000-0x0000000004E3A000-memory.dmp
memory/1396-6-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-7-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-8-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-9-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-10-0x0000000074ED0000-0x0000000075680000-memory.dmp
memory/1396-11-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-12-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-13-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-14-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-15-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-16-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-17-0x0000000028E30000-0x0000000028F30000-memory.dmp
memory/1396-18-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1396-19-0x0000000028E30000-0x0000000028F30000-memory.dmp
memory/1396-20-0x0000000028E30000-0x0000000028F30000-memory.dmp
memory/1396-21-0x0000000028E30000-0x0000000028F30000-memory.dmp
memory/1396-22-0x0000000028E30000-0x0000000028F30000-memory.dmp
memory/1396-23-0x0000000028E30000-0x0000000028F30000-memory.dmp
memory/1396-24-0x0000000028E30000-0x0000000028F30000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-02 23:24
Reported
2024-03-02 23:29
Platform
win7-20240221-en
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe | C:\Windows\system32\wscript.exe |
| PID 2180 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe | C:\Windows\system32\wscript.exe |
| PID 2180 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe | C:\Windows\system32\wscript.exe |
| PID 2180 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe | C:\Windows\system32\wscript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\83D0.tmp\83D1.vbs
Network
Files
C:\Users\Admin\AppData\Local\Temp\83D0.tmp\83D1.vbs
| MD5 | fe44b78a465853c0ac0744c6ab05ea40 |
| SHA1 | f32dacd91b9547fce9a8a2846a4e17c33295aab3 |
| SHA256 | 989d947c51c878bcefecb53d867a3c182c2d67129a87a5f6773eb6ef2bbf9b2e |
| SHA512 | 6b945e16786833c2e2e9867315b8859c413687fc72d4c8576b9c0a1aed2dc65249468317dd49f2ecf777e27c9969b7a7abc72b4d9b7c182dc7999051377515db |