366373109445178df10e219c3d58ea40b435c3cc20f80be7398d199aee01f62b

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 14:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NightMare.exe
Size

42KB
MD5

4c5dfe827dd3465bb97016996936fe38
SHA1

010b868fe1a9e637912226a1eda1b73d901347dd
SHA256

366373109445178df10e219c3d58ea40b435c3cc20f80be7398d199aee01f62b
SHA512

e0692e425b7c702d297c88f0495c3bdae53eb566c3128f334d0e87e90a7047c433633f918ab6163a025a488111bcb2f199df0852b338fdc00e524897a2a7d82e
SSDEEP

768:73oACIqXSoiSnWsHorfhH7HjVq9HTtYcFA/Vc6K:7TCxNn/orfhbDVqRD8Vcl

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NightMare.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NightMare.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 17 IoCs

exploit

pid	Process
2600	takeown.exe
3004	icacls.exe
3696	takeown.exe
3808	takeown.exe
816	takeown.exe
3664	takeown.exe
2988	takeown.exe
2336	takeown.exe
3612	takeown.exe
3000	takeown.exe
3656	takeown.exe
884	takeown.exe
2836	takeown.exe
2864	takeown.exe
3340	takeown.exe
2672	takeown.exe
1360	takeown.exe

Modifies file permissions 1 TTPs 17 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2600	takeown.exe
884	takeown.exe
3808	takeown.exe
816	takeown.exe
3664	takeown.exe
3612	takeown.exe
3000	takeown.exe
2988	takeown.exe
3340	takeown.exe
2864	takeown.exe
3696	takeown.exe
1360	takeown.exe
3656	takeown.exe
2836	takeown.exe
2336	takeown.exe
2672	takeown.exe
3004	icacls.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\	NightMare.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NightMare.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NightMare.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5451).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7872).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3343).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5524).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5658).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6015).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7206).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7284).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(877).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7213).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7239).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8783).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(932).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2996).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8153).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8223).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9927).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1783).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2062).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9457).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(125).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3332).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6660).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6713).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7467).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8959).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(729).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1842).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2829).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8457).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(520).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2782).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4838).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5244).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5622).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6320).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7221).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8374).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3097).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4867).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6301).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7431).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2096).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5393).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5924).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7945).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9913).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2823).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4899).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6281).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(493).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(636).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1038).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1663).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2164).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2705).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3308).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5776).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6683).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6974).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8881).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9603).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9747).txt	NightMare.exe
File created	C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(962).txt	NightMare.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1992	taskkill.exe
2396	taskkill.exe
2508	taskkill.exe

Modifies Control Panel 14 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur"	NightMare.exe

Modifies File Icons 3 IoCs

ransomware

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\4	NightMare.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\3	NightMare.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\	NightMare.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\	NightMare.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon	NightMare.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\	NightMare.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon	NightMare.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\	NightMare.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\	NightMare.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htlm	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\	NightMare.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon	NightMare.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\	NightMare.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node	NightMare.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\	NightMare.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon	NightMare.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\	NightMare.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2616	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3000	takeown.exe
Token: SeTakeOwnershipPrivilege	2600	takeown.exe
Token: SeDebugPrivilege	2272	NightMare.exe
Token: SeDebugPrivilege	2272	NightMare.exe
Token: SeTakeOwnershipPrivilege	3696	takeown.exe
Token: SeTakeOwnershipPrivilege	2988	takeown.exe
Token: SeTakeOwnershipPrivilege	3656	takeown.exe
Token: SeTakeOwnershipPrivilege	884	takeown.exe
Token: SeTakeOwnershipPrivilege	3808	takeown.exe
Token: SeTakeOwnershipPrivilege	816	takeown.exe
Token: SeTakeOwnershipPrivilege	2836	takeown.exe
Token: SeTakeOwnershipPrivilege	3340	takeown.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	2272	NightMare.exe
Token: SeTakeOwnershipPrivilege	3664	takeown.exe
Token: SeDebugPrivilege	2272	NightMare.exe
Token: SeTakeOwnershipPrivilege	2336	takeown.exe
Token: SeDebugPrivilege	2272	NightMare.exe
Token: SeTakeOwnershipPrivilege	2672	takeown.exe
Token: SeDebugPrivilege	2272	NightMare.exe
Token: SeTakeOwnershipPrivilege	2864	takeown.exe
Token: SeDebugPrivilege	2272	NightMare.exe
Token: SeTakeOwnershipPrivilege	3612	takeown.exe
Token: SeDebugPrivilege	2272	NightMare.exe
Token: SeTakeOwnershipPrivilege	1360	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2780	2272	NightMare.exe	30
PID 2272 wrote to memory of 2780	2272	NightMare.exe	30
PID 2272 wrote to memory of 2780	2272	NightMare.exe	30
PID 2272 wrote to memory of 2780	2272	NightMare.exe	30
PID 2272 wrote to memory of 2804	2272	NightMare.exe	31
PID 2272 wrote to memory of 2804	2272	NightMare.exe	31
PID 2272 wrote to memory of 2804	2272	NightMare.exe	31
PID 2272 wrote to memory of 2804	2272	NightMare.exe	31
PID 2272 wrote to memory of 2712	2272	NightMare.exe	33
PID 2272 wrote to memory of 2712	2272	NightMare.exe	33
PID 2272 wrote to memory of 2712	2272	NightMare.exe	33
PID 2272 wrote to memory of 2712	2272	NightMare.exe	33
PID 2272 wrote to memory of 2688	2272	NightMare.exe	35
PID 2272 wrote to memory of 2688	2272	NightMare.exe	35
PID 2272 wrote to memory of 2688	2272	NightMare.exe	35
PID 2272 wrote to memory of 2688	2272	NightMare.exe	35
PID 2272 wrote to memory of 2808	2272	NightMare.exe	37
PID 2272 wrote to memory of 2808	2272	NightMare.exe	37
PID 2272 wrote to memory of 2808	2272	NightMare.exe	37
PID 2272 wrote to memory of 2808	2272	NightMare.exe	37
PID 2272 wrote to memory of 2716	2272	NightMare.exe	39
PID 2272 wrote to memory of 2716	2272	NightMare.exe	39
PID 2272 wrote to memory of 2716	2272	NightMare.exe	39
PID 2272 wrote to memory of 2716	2272	NightMare.exe	39
PID 2272 wrote to memory of 2656	2272	NightMare.exe	41
PID 2272 wrote to memory of 2656	2272	NightMare.exe	41
PID 2272 wrote to memory of 2656	2272	NightMare.exe	41
PID 2272 wrote to memory of 2656	2272	NightMare.exe	41
PID 2780 wrote to memory of 1700	2780	cmd.exe	44
PID 2780 wrote to memory of 1700	2780	cmd.exe	44
PID 2780 wrote to memory of 1700	2780	cmd.exe	44
PID 2780 wrote to memory of 1700	2780	cmd.exe	44
PID 1700 wrote to memory of 2608	1700	net.exe	45
PID 1700 wrote to memory of 2608	1700	net.exe	45
PID 1700 wrote to memory of 2608	1700	net.exe	45
PID 1700 wrote to memory of 2608	1700	net.exe	45
PID 2804 wrote to memory of 2544	2804	cmd.exe	46
PID 2804 wrote to memory of 2544	2804	cmd.exe	46
PID 2804 wrote to memory of 2544	2804	cmd.exe	46
PID 2804 wrote to memory of 2544	2804	cmd.exe	46
PID 2688 wrote to memory of 2616	2688	cmd.exe	47
PID 2688 wrote to memory of 2616	2688	cmd.exe	47
PID 2688 wrote to memory of 2616	2688	cmd.exe	47
PID 2688 wrote to memory of 2616	2688	cmd.exe	47
PID 2712 wrote to memory of 2628	2712	cmd.exe	48
PID 2712 wrote to memory of 2628	2712	cmd.exe	48
PID 2712 wrote to memory of 2628	2712	cmd.exe	48
PID 2712 wrote to memory of 2628	2712	cmd.exe	48
PID 2808 wrote to memory of 3000	2808	cmd.exe	49
PID 2808 wrote to memory of 3000	2808	cmd.exe	49
PID 2808 wrote to memory of 3000	2808	cmd.exe	49
PID 2808 wrote to memory of 3000	2808	cmd.exe	49
PID 2716 wrote to memory of 1596	2716	cmd.exe	50
PID 2716 wrote to memory of 1596	2716	cmd.exe	50
PID 2716 wrote to memory of 1596	2716	cmd.exe	50
PID 2716 wrote to memory of 1596	2716	cmd.exe	50
PID 2656 wrote to memory of 2600	2656	cmd.exe	51
PID 2656 wrote to memory of 2600	2656	cmd.exe	51
PID 2656 wrote to memory of 2600	2656	cmd.exe	51
PID 2656 wrote to memory of 2600	2656	cmd.exe	51
PID 2656 wrote to memory of 3004	2656	cmd.exe	52
PID 2656 wrote to memory of 3004	2656	cmd.exe	52
PID 2656 wrote to memory of 3004	2656	cmd.exe	52
PID 2656 wrote to memory of 3004	2656	cmd.exe	52

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NightMare.exe

C:\Users\Admin\AppData\Local\Temp\NightMare.exe
"C:\Users\Admin\AppData\Local\Temp\NightMare.exe"
1⤵
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Control Panel
- Modifies File Icons
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\net.exe
    net user Admin /delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /delete
      4⤵
      PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKCR
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k reg delete HKU && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKU
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM
    3⤵
    - Modifies registry key
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\ReAgentc.exe
    reagentc.exe /disable
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\System32 /grant Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
  2⤵
  PID:2656
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\system32\taskmgr.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\system32\LogonUI.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI\BCD
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause
  2⤵
  PID:3592
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\system32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\servicing\TrustedInstaller.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\System32\WUDFHost.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3340
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM dwm.exe.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM TrustedInstaller.exe.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
  2⤵
  PID:3292
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
  2⤵
  PID:3372
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F C:\Windows\Boot\DVD\EFI
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

Filesize
662B

MD5
21ad42bd4156f914d3a265823a1c269c

SHA1
4129bc994a0947b38e3bac2aeabc8e2fbdbd503f

SHA256
680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2

SHA512
7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a

Download Submit
memory/2272-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2272-1-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/2272-2-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2272-10783-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2272-15284-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads