e076e29b2797c152a5822bc07d5b547131ce88cd00c574c83f1b9a016fb2eddc

General

Target

Install windows 10 @KYROK638_ARSLANAILLAITI.exe
Size

8.1MB
MD5

20688ba84b5e8d5e24feaf02731146ea
SHA1

c2ab2d6c3ffda5464aadd5e42a9383b6eb75d30b
SHA256

e076e29b2797c152a5822bc07d5b547131ce88cd00c574c83f1b9a016fb2eddc
SHA512

e31f5e0aba8aa9032fa10a4a0dbfc42251cb771b5c17ae8c5e402a71a886b93d8a693168081df7b3893d992861b491bd7ee14723cccc365ce9d056aa36f3a7fa
SSDEEP

196608:yzA8aAkHlqLQnlYqXcRN6ElSOy4yAm6lXggDQKsCx/F+QeN:pakH/nlY5DTlSCyd6lbwQ+

Score

7^/10

discovery

Malware Config

Signatures

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1804	takeown.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\logonui.exe	cmd.exe
File opened for modification	C:\Windows\system32\winlogon.exe	cmd.exe
File created	C:\Windows\system32\winlogon.exe	cmd.exe
File opened for modification	C:\Windows\system32\userinit.exe	cmd.exe
File created	C:\Windows\system32\userinit.exe	cmd.exe
File opened for modification	C:\Windows\system32\logonui.exe	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\explorer.exe	cmd.exe
File created	C:\Windows\explorer.exe	cmd.exe
File created	C:\Windows\winlogon.exe	cmd.exe
File opened for modification	C:\Windows\winlogon.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install windows 10 @KYROK638_ARSLANAILLAITI.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
824	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1572	taskkill.exe
5044	taskkill.exe
4296	taskkill.exe
4664	taskkill.exe
932	taskkill.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	4664	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 4420	3308	Install windows 10 @KYROK638_ARSLANAILLAITI.exe	73
PID 3308 wrote to memory of 4420	3308	Install windows 10 @KYROK638_ARSLANAILLAITI.exe	73
PID 4420 wrote to memory of 1572	4420	cmd.exe	76
PID 4420 wrote to memory of 1572	4420	cmd.exe	76
PID 4420 wrote to memory of 5044	4420	cmd.exe	78
PID 4420 wrote to memory of 5044	4420	cmd.exe	78
PID 4420 wrote to memory of 4296	4420	cmd.exe	79
PID 4420 wrote to memory of 4296	4420	cmd.exe	79
PID 4420 wrote to memory of 1804	4420	cmd.exe	80
PID 4420 wrote to memory of 1804	4420	cmd.exe	80
PID 4420 wrote to memory of 4664	4420	cmd.exe	81
PID 4420 wrote to memory of 4664	4420	cmd.exe	81
PID 4420 wrote to memory of 4316	4420	cmd.exe	82
PID 4420 wrote to memory of 4316	4420	cmd.exe	82
PID 4420 wrote to memory of 824	4420	cmd.exe	83
PID 4420 wrote to memory of 824	4420	cmd.exe	83
PID 4420 wrote to memory of 932	4420	cmd.exe	84
PID 4420 wrote to memory of 932	4420	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\Install windows 10 @KYROK638_ARSLANAILLAITI.exe
"C:\Users\Admin\AppData\Local\Temp\Install windows 10 @KYROK638_ARSLANAILLAITI.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8378.tmp\8379.tmp\837A.bat "C:\Users\Admin\AppData\Local\Temp\Install windows 10 @KYROK638_ARSLANAILLAITI.exe""
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im userinit.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im logonui.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- - C:\Windows\system32\takeown.exe
    takeown C:\Windows\system32\logonui.exe
    3⤵
    - Modifies file permissions
    PID:1804
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im winlogon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4664
- - C:\Windows\system32\msg.exe
    msg * Please save all your data and pause your downloads... Windows will be rebooting in 20 seconds.
    3⤵
    PID:4316
- - C:\Windows\system32\timeout.exe
    timeout 20
    3⤵
    - Delays execution with timeout.exe
    PID:824
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im wininit.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8378.tmp\8379.tmp\837A.bat

Filesize
698B

MD5
5260ec6b408c120efe391c44dd1d1fbb

SHA1
792bcb2d6b88fbe2df174d6a18dea6d1a6666efa

SHA256
8f3d4a21d93515e7aee51e2b5977f2c92208a81f9abf307540fff6a07831fedd

SHA512
8d65f5b15f7b560c86752357759c5ba43d9889fe7f64bb8254d07f6fcdcbc15e4d1d7b628e9664e0ee3c2ed831125d11c80099af740679489e94b2077a67037c

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe

Filesize
18.6MB

MD5
aa2ad37bb74c05a49417e3d2f1bd89ce

SHA1
1bf5f814ffe801b4e6f118e829c0d2821d78a60a

SHA256
690c8a63769d444fad47b7ddecee7f24c9333aa735d0bd46587d0df5cf15cde5

SHA512
fab34ccbefbcdcec8f823840c16ae564812d0e063319c4eb4cc1112cf775b8764fea59d0bbafd4774d84b56e08c24056fa96f27425c4060e12eb547c2ae086cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads