Malware Analysis Report

2024-11-16 12:44

Sample ID 240302-3d17dsag33
Target Individual Components.zip
SHA256 f30ea0f7276100d02319bee64445888af5d784eb12a962ea88f99d2ae4137897
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f30ea0f7276100d02319bee64445888af5d784eb12a962ea88f99d2ae4137897

Threat Level: Likely malicious

The file Individual Components.zip was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Checks computer location settings

Modifies file permissions

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\DgzRun.vbs"

Signatures

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 1716 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2076 wrote to memory of 1716 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2076 wrote to memory of 1716 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\DgzRun.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe C:\Windows\system32\cmd.exe
PID 812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe C:\Windows\system32\cmd.exe
PID 812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe C:\Windows\system32\cmd.exe
PID 812 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe C:\Windows\system32\cmd.exe
PID 2608 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 2608 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 2608 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 2608 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 2608 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 2608 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 2608 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 2608 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 2608 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 2608 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 2608 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 2608 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\588C.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"

C:\Windows\System32\takeown.exe

takeown /f taskmgr.exe

C:\Windows\System32\icacls.exe

icacls taskmgr.exe /granted "Admin":F

C:\Windows\System32\takeown.exe

takeown /f sethc.exe

C:\Windows\System32\icacls.exe

icacls sethc.exe /granted "Admin":F

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\1\588C.bat

MD5 fe81c1282a808b7a1d0a27d7cccaa624
SHA1 f6afc7b26ead8cdb51b11d59c6e68e5aab265bfa
SHA256 3e18de7065154144b54a2f7c179c27b3f27c3cda5871f472f452a8cfc3dc6791
SHA512 873e226360edc463dd753aedfec7ec60e0d8efac08652245709862b8bd9e6ae85eb6ea6f05d8d2c0ec1c8e7fc1bddeebc5037efcac1ceb5b1f099b49c0a93045

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240215-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\sethc.exe C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe C:\Windows\system32\cmd.exe
PID 2416 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe C:\Windows\system32\cmd.exe
PID 3044 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 3044 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 3044 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 3044 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 3044 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 3044 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 3044 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 3044 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 3044 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\takeown.exe
PID 3044 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 3044 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe
PID 3044 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\1017.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"

C:\Windows\System32\takeown.exe

takeown /f logonui.exe

C:\Windows\System32\icacls.exe

icacls logonui.exe /granted "Admin":F

C:\Windows\System32\takeown.exe

takeown /f sethc.exe

C:\Windows\System32\icacls.exe

icacls sethc.exe /granted "Admin":F

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\1\1017.bat

MD5 2d6137c014799e13eb4ed488b2fb6f24
SHA1 ba8b8734a2fec8bd5d83fb9f82839be299842f83
SHA256 e8e180570ec4e0aa25663250ace1d1eb45404ef6c25f5680f90391d6e30b7b0e
SHA512 53afcd651e0daca461c20164536a541e0e48be2286bc4952494dc9eec1a23994f11430ce6f3c1dc28b90ba3b8a1d28446bd0d357bbc620243aa9cd6b35506c3c

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\sethc.exe C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\3633.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\WinScrew.exe"

C:\Windows\System32\takeown.exe

takeown /f logonui.exe

C:\Windows\System32\icacls.exe

icacls logonui.exe /granted "Admin":F

C:\Windows\System32\takeown.exe

takeown /f sethc.exe

C:\Windows\System32\icacls.exe

icacls sethc.exe /granted "Admin":F

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\1\3633.bat

MD5 2d6137c014799e13eb4ed488b2fb6f24
SHA1 ba8b8734a2fec8bd5d83fb9f82839be299842f83
SHA256 e8e180570ec4e0aa25663250ace1d1eb45404ef6c25f5680f90391d6e30b7b0e
SHA512 53afcd651e0daca461c20164536a541e0e48be2286bc4952494dc9eec1a23994f11430ce6f3c1dc28b90ba3b8a1d28446bd0d357bbc620243aa9cd6b35506c3c

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\healgen.vbs"

Signatures

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 3020 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2028 wrote to memory of 3020 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2028 wrote to memory of 3020 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\healgen.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

123s

Max time network

127s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\healgen.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 4884 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2840 wrote to memory of 4884 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\healgen.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

160s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\DgzRun.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 4284 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 1988 wrote to memory of 4284 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\DgzRun.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4110.tmp\4111.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\4110.tmp\4111.vbs

MD5 2609fde7a9604c73be5083e4bcfa0e20
SHA1 068c89f703fb11663143b9927f2a0c9f9f59c0e3
SHA256 17d014cb4abbaced3acce9b6d7a1b595cd6e2dd814e41f06ceddcdc08e93eebe
SHA512 439fee7cc198cb3fef4ef14693141e52c305579a4ff2da0842323f57dcffade03f3b01ac288080fed423511937a4c1e2080f5a79f967a963fe34253f541824cb

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:27

Platform

win10v2004-20240226-en

Max time kernel

37s

Max time network

39s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\checker.bat"

Signatures

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "109" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 392 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 392 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 392 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 392 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\checker.bat"

C:\Windows\system32\wscript.exe

wscript.exe callfunc.vbs

C:\Windows\system32\shutdown.exe

shutdown -r -t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39fa855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:30

Platform

win10v2004-20240226-en

Max time kernel

120s

Max time network

206s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/2304-0-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2304-1-0x0000000000900000-0x0000000000A3C000-memory.dmp

memory/2304-2-0x0000000005910000-0x0000000005EB4000-memory.dmp

memory/2304-3-0x0000000005360000-0x00000000053F2000-memory.dmp

memory/2304-4-0x0000000005510000-0x0000000005520000-memory.dmp

memory/2304-5-0x00000000052F0000-0x00000000052FA000-memory.dmp

memory/2304-6-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/2304-7-0x0000000005510000-0x0000000005520000-memory.dmp

memory/2304-8-0x0000000005510000-0x0000000005520000-memory.dmp

memory/2304-9-0x0000000005510000-0x0000000005520000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

120s

Max time network

133s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\example.vbs"

Signatures

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2816 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 2816 wrote to memory of 2544 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\example.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\fexec.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\fexec.vbs"

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

122s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\eula32.exe"

Network

N/A

Files

memory/2256-0-0x0000000000DC0000-0x0000000000EFC000-memory.dmp

memory/2256-1-0x0000000074950000-0x000000007503E000-memory.dmp

memory/2256-2-0x0000000004E00000-0x0000000004E40000-memory.dmp

memory/2256-3-0x0000000004E00000-0x0000000004E40000-memory.dmp

memory/2256-4-0x0000000074950000-0x000000007503E000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MicrosoftWindowsServicesEtc\NoBreak.xjs C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\7AFC.tmp\7AFD.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7AFC.tmp\7AFD.vbs

MD5 5f427dc44f33906509423d24fa0590c0
SHA1 b896f7667381a594d3751e05f258925b81c231c0
SHA256 9aae0707b1d5d3b7ed3bf5cc8fbb530aebd195e3e2f18312f3f7f1aa43e031b4
SHA512 bd28c386772062ef945f24c8ad7a25f158856af36e31d2c9b14674cedfd34b4f48ed531cd40a7eb291384d83665ffe154f0786c1a7ee1616256cf30125120961

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\example.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 2212 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe
PID 3540 wrote to memory of 2212 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\wscript.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\example.vbs"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Program Files\MicrosoftWindowsServicesEtc\healgen.vbs" RunAsAdministrator

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 52.111.229.19:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

116s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\CallFunc.vbs"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\CallFunc.vbs"

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\3DC4.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\1\3DC4.bat

MD5 0db153eefb4d51d0f0b699ea1d97b98d
SHA1 abd0cc67716a9a3e6b0838638011d0594d329935
SHA256 f695721ea49576dc9b10b2d3c6ba89e8880b9a330b471e89800d014cb45de210
SHA512 057edee55b797b2349b8f59e89c819ad868d773f7f58a4b1c26aac5bb04f783708127cd18af51f074f838498a3e3d96d143ad285c2cc7e4e4ad5e6973d9a4a10

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe C:\Windows\system32\wscript.exe
PID 1576 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe C:\Windows\system32\wscript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3C5D.tmp\3C5E.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\3C5D.tmp\3C5E.vbs

MD5 9192fd494155eab424110765c751559e
SHA1 b54fcc1e29617b3eee1c7bb215c048498881b641
SHA256 cbd3b0f294e8f11592a3ad80d1070d81746f806a48183b93c345251422ccbf0d
SHA512 b8c48916535f3721e7f47be6af671765c3befefcd407c6ea5fabcf9ada119747408d662f61fb436f98a7c33050b6674da54dddf25e683429204a96555ec6e801

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

129s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\ABA1.tmp\ABA2.vbs

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ABA1.tmp\ABA2.vbs

MD5 fe44b78a465853c0ac0744c6ab05ea40
SHA1 f32dacd91b9547fce9a8a2846a4e17c33295aab3
SHA256 989d947c51c878bcefecb53d867a3c182c2d67129a87a5f6773eb6ef2bbf9b2e
SHA512 6b945e16786833c2e2e9867315b8859c413687fc72d4c8576b9c0a1aed2dc65249468317dd49f2ecf777e27c9969b7a7abc72b4d9b7c182dc7999051377515db

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe"

Network

N/A

Files

memory/2084-1-0x0000000074BF0000-0x00000000752DE000-memory.dmp

memory/2084-0-0x0000000000F30000-0x0000000001070000-memory.dmp

memory/2084-2-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2084-3-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\CallFunc.vbs"

Signatures

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\CallFunc.vbs"

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\8259.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\majorlist.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\1\8259.bat

MD5 0db153eefb4d51d0f0b699ea1d97b98d
SHA1 abd0cc67716a9a3e6b0838638011d0594d329935
SHA256 f695721ea49576dc9b10b2d3c6ba89e8880b9a330b471e89800d014cb45de210
SHA512 057edee55b797b2349b8f59e89c819ad868d773f7f58a4b1c26aac5bb04f783708127cd18af51f074f838498a3e3d96d143ad285c2cc7e4e4ad5e6973d9a4a10

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240220-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\breakrule.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E82.tmp\E83.vbs

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\E82.tmp\E83.vbs

MD5 2609fde7a9604c73be5083e4bcfa0e20
SHA1 068c89f703fb11663143b9927f2a0c9f9f59c0e3
SHA256 17d014cb4abbaced3acce9b6d7a1b595cd6e2dd814e41f06ceddcdc08e93eebe
SHA512 439fee7cc198cb3fef4ef14693141e52c305579a4ff2da0842323f57dcffade03f3b01ac288080fed423511937a4c1e2080f5a79f967a963fe34253f541824cb

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

159s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\AppKill.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 3852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 3852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 1816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 3580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 3528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\AppKill.bat"

C:\Windows\system32\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im opera.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im mspaint.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im calc.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im ProcessExplorer.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im ProcessHacker.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im notepad.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im yandex.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im browser.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im eset.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im protogent.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im regedit

C:\Windows\system32\taskkill.exe

taskkill /f /im rundll32.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im rundll.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im dllhost.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im superaltf4.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im microsoftedge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im mrsmjrgui.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im yandex.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A
N/A N/A C:\Windows\System32\takeown.exe N/A
N/A N/A C:\Windows\System32\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\takeown.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1\1DF3.bat C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\GetReady.exe"

C:\Windows\System32\takeown.exe

takeown /f taskmgr.exe

C:\Windows\System32\icacls.exe

icacls taskmgr.exe /granted "Admin":F

C:\Windows\System32\takeown.exe

takeown /f sethc.exe

C:\Windows\System32\icacls.exe

icacls sethc.exe /granted "Admin":F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\1\1DF3.bat

MD5 fe81c1282a808b7a1d0a27d7cccaa624
SHA1 f6afc7b26ead8cdb51b11d59c6e68e5aab265bfa
SHA256 3e18de7065154144b54a2f7c179c27b3f27c3cda5871f472f452a8cfc3dc6791
SHA512 873e226360edc463dd753aedfec7ec60e0d8efac08652245709862b8bd9e6ae85eb6ea6f05d8d2c0ec1c8e7fc1bddeebc5037efcac1ceb5b1f099b49c0a93045

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:26

Platform

win7-20240221-en

Max time kernel

10s

Max time network

19s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\checker.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1936 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1936 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wscript.exe
PID 1936 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 1936 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe
PID 1936 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\shutdown.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\checker.bat"

C:\Windows\system32\wscript.exe

wscript.exe callfunc.vbs

C:\Windows\system32\shutdown.exe

shutdown -r -t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2620-0-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/2488-1-0x0000000002760000-0x0000000002761000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MicrosoftWindowsServicesEtc\NoBreak.xjs C:\Windows\system32\wscript.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\data\runner32s.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5AEC.tmp\5AED.vbs

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\5AEC.tmp\5AED.vbs

MD5 5f427dc44f33906509423d24fa0590c0
SHA1 b896f7667381a594d3751e05f258925b81c231c0
SHA256 9aae0707b1d5d3b7ed3bf5cc8fbb530aebd195e3e2f18312f3f7f1aa43e031b4
SHA512 bd28c386772062ef945f24c8ad7a25f158856af36e31d2c9b14674cedfd34b4f48ed531cd40a7eb291384d83665ffe154f0786c1a7ee1616256cf30125120961

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\bsod.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.16.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

memory/4176-0-0x00000000744E0000-0x0000000074C90000-memory.dmp

memory/4176-1-0x0000000000820000-0x0000000000960000-memory.dmp

memory/4176-2-0x0000000005800000-0x0000000005DA4000-memory.dmp

memory/4176-3-0x0000000005340000-0x00000000053D2000-memory.dmp

memory/4176-4-0x0000000005480000-0x0000000005490000-memory.dmp

memory/4176-5-0x00000000053F0000-0x00000000053FA000-memory.dmp

memory/4176-6-0x0000000005480000-0x0000000005490000-memory.dmp

memory/4176-8-0x00000000744E0000-0x0000000074C90000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\fexec.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\fexec.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\AppKill.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 2104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2128 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\AppKill.bat"

C:\Windows\system32\taskkill.exe

taskkill /f /im chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im opera.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im mspaint.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im calc.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im ProcessExplorer.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im ProcessHacker.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im iexplore.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im notepad.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im yandex.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im browser.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im eset.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im protogent.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im regedit

C:\Windows\system32\taskkill.exe

taskkill /f /im rundll32.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im rundll.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im dllhost.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im superaltf4.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im microsoftedge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im mrsmjrgui.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im yandex.exe

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\Major.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\5B1B.tmp\5B1C.vbs

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\5B1B.tmp\5B1C.vbs

MD5 9192fd494155eab424110765c751559e
SHA1 b54fcc1e29617b3eee1c7bb215c048498881b641
SHA256 cbd3b0f294e8f11592a3ad80d1070d81746f806a48183b93c345251422ccbf0d
SHA512 b8c48916535f3721e7f47be6af671765c3befefcd407c6ea5fabcf9ada119747408d662f61fb436f98a7c33050b6674da54dddf25e683429204a96555ec6e801

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240215-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe"

Network

N/A

Files

memory/1636-0-0x00000000012E0000-0x0000000001304000-memory.dmp

memory/1636-1-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/1636-2-0x0000000004B90000-0x0000000004BD0000-memory.dmp

memory/1636-3-0x0000000004B90000-0x0000000004BD0000-memory.dmp

memory/1636-4-0x0000000004B90000-0x0000000004BD0000-memory.dmp

memory/1636-5-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-6-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-7-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-8-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/1636-10-0x0000000004B90000-0x0000000004BD0000-memory.dmp

memory/1636-9-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-11-0x0000000004B90000-0x0000000004BD0000-memory.dmp

memory/1636-12-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-13-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-14-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-15-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-16-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-17-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-18-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-19-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-20-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-21-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-22-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-23-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-24-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-25-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-26-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-27-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-28-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-29-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-30-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-31-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-32-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-33-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-34-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-35-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-36-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-37-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-38-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-39-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-40-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-41-0x000000000E430000-0x000000000E530000-memory.dmp

memory/1636-42-0x000000000E430000-0x000000000E530000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\NotMuch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1396-0-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1396-1-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1396-2-0x0000000005310000-0x00000000058B4000-memory.dmp

memory/1396-3-0x0000000004E40000-0x0000000004ED2000-memory.dmp

memory/1396-4-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-5-0x0000000004E30000-0x0000000004E3A000-memory.dmp

memory/1396-6-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-7-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-8-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-9-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-10-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1396-11-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-12-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-13-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-14-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-15-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-16-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-17-0x0000000028E30000-0x0000000028F30000-memory.dmp

memory/1396-18-0x00000000050B0000-0x00000000050C0000-memory.dmp

memory/1396-19-0x0000000028E30000-0x0000000028F30000-memory.dmp

memory/1396-20-0x0000000028E30000-0x0000000028F30000-memory.dmp

memory/1396-21-0x0000000028E30000-0x0000000028F30000-memory.dmp

memory/1396-22-0x0000000028E30000-0x0000000028F30000-memory.dmp

memory/1396-23-0x0000000028E30000-0x0000000028F30000-memory.dmp

memory/1396-24-0x0000000028E30000-0x0000000028F30000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-02 23:24

Reported

2024-03-02 23:29

Platform

win7-20240221-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftWindowsServicesEtc\RuntimeChecker.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\83D0.tmp\83D1.vbs

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\83D0.tmp\83D1.vbs

MD5 fe44b78a465853c0ac0744c6ab05ea40
SHA1 f32dacd91b9547fce9a8a2846a4e17c33295aab3
SHA256 989d947c51c878bcefecb53d867a3c182c2d67129a87a5f6773eb6ef2bbf9b2e
SHA512 6b945e16786833c2e2e9867315b8859c413687fc72d4c8576b9c0a1aed2dc65249468317dd49f2ecf777e27c9969b7a7abc72b4d9b7c182dc7999051377515db