9730e03ca9d052875895b4ad7ba7914f69009fd5fb58d324ee35d3e45f90d768

General

Target

iis_agent32.exe
Sample

191030-4jjvvmbgys
SHA256

9730e03ca9d052875895b4ad7ba7914f69009fd5fb58d324ee35d3e45f90d768

Score

N/A

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

iis_agent32.exevssvc.exeWMIC.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1380	iis_agent32.exe
Token: SeBackupPrivilege	1140	vssvc.exe
Token: SeRestorePrivilege	1140	vssvc.exe
Token: SeAuditPrivilege	1140	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1924	WMIC.exe
Token: SeSecurityPrivilege	1924	WMIC.exe
Token: SeTakeOwnershipPrivilege	1924	WMIC.exe
Token: SeLoadDriverPrivilege	1924	WMIC.exe
Token: SeSystemProfilePrivilege	1924	WMIC.exe
Token: SeSystemtimePrivilege	1924	WMIC.exe
Token: SeProfSingleProcessPrivilege	1924	WMIC.exe
Token: SeIncBasePriorityPrivilege	1924	WMIC.exe
Token: SeCreatePagefilePrivilege	1924	WMIC.exe
Token: SeBackupPrivilege	1924	WMIC.exe
Token: SeRestorePrivilege	1924	WMIC.exe
Token: SeShutdownPrivilege	1924	WMIC.exe
Token: SeDebugPrivilege	1924	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1924	WMIC.exe
Token: SeRemoteShutdownPrivilege	1924	WMIC.exe
Token: SeUndockPrivilege	1924	WMIC.exe
Token: SeManageVolumePrivilege	1924	WMIC.exe
Token: 33	1924	WMIC.exe
Token: 34	1924	WMIC.exe
Token: 35	1924	WMIC.exe
Token: SeSecurityPrivilege	1848	wevtutil.exe
Token: SeBackupPrivilege	1848	wevtutil.exe
Token: SeSecurityPrivilege	796	wevtutil.exe
Token: SeBackupPrivilege	796	wevtutil.exe
Token: SeSecurityPrivilege	1940	wevtutil.exe
Token: SeBackupPrivilege	1940	wevtutil.exe

Uses Volume Shadow Copy Service COM API 19 IoCs

ransomware

Processes:

vssadmin.exevssvc.exe

description	ioc	pid	process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1640	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1640	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\TreatAs	1640	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\Progid	1640	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID	1640	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID\	1640	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\	1640	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocServer32	1640	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler32	1640	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler	1640	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1140	vssvc.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1140	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\TreatAs	1140	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\Progid	1140	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID\	1140	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\	1140	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocServer32	1140	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler32	1140	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler	1140	vssvc.exe

Modifies Boot Configuration Data 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

756 bcdedit.exe
228 bcdedit.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1320 cmd.exe

pid	process
756	bcdedit.exe
228	bcdedit.exe

pid	process
1320	cmd.exe

Drops Office document 12 IoCs

dropper exploiter maldoc

Processes:

iis_agent32.exe

description	ioc	pid	process
File opened for modification	C:\Users\Admin\AppData\Roaming\ImportOut.ppt	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Desktop\DisableReceive.ppt	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Desktop\StopUnregister.docx	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\ConvertSubmit.xls	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\LimitRead.ppt	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\SplitAssert.xls	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	1380	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\UnblockUnprotect.xlsx	1380	iis_agent32.exe

Timeout.exe delays execution 1 IoCs
evasion

Processes:

timeout.exe

pid process

1940 timeout.exe

pid	process
1940	timeout.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

iis_agent32.exe

description	pid	process	target process
PID 1380 wrote to memory of 1320	1380	iis_agent32.exe	cmd.exe
PID 1380 wrote to memory of 1940	1380	iis_agent32.exe	cmd.exe
PID 1380 wrote to memory of 604	1380	iis_agent32.exe	cmd.exe
PID 1380 wrote to memory of 204	1380	iis_agent32.exe	cmd.exe
PID 1380 wrote to memory of 236	1380	iis_agent32.exe	cmd.exe
PID 1380 wrote to memory of 1200	1380	iis_agent32.exe	cmd.exe
PID 1380 wrote to memory of 1864	1380	iis_agent32.exe	cmd.exe
PID 1380 wrote to memory of 1320	1380	iis_agent32.exe	cmd.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

pid process

1748 conhost.exe
1944 conhost.exe
284 conhost.exe
212 conhost.exe
1972 conhost.exe
1872 conhost.exe
1716 conhost.exe
1872 conhost.exe
Deletes shadow copies 2 TTPs 2 IoCs
ransomware

Inhibit System Recovery
T1490

Processes:

vssadmin.exeWMIC.exe

pid process

1640 vssadmin.exe
1924 WMIC.exe
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

1848 wevtutil.exe
796 wevtutil.exe
1940 wevtutil.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

iis_agent32.exe

pid process

1380 iis_agent32.exe

pid	process
1748	conhost.exe
1944	conhost.exe
284	conhost.exe
212	conhost.exe
1972	conhost.exe
1872	conhost.exe
1716	conhost.exe
1872	conhost.exe

pid	process
1640	vssadmin.exe
1924	WMIC.exe

pid	process
1848	wevtutil.exe
796	wevtutil.exe
1940	wevtutil.exe

pid	process
1380	iis_agent32.exe

Drops file in system dir 64 IoCs

Processes:

iis_agent32.exe

description	ioc	pid	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Zenis-PL.PLwn8tj5PkAy	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Zenis-0F.0Fmkr1X2vzDj	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\Zenis-Oz.OzCZir6fCtki	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\Zenis-5r.5ruU9HtTKrWi	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\Zenis-mi.micPZhgIToHh	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\Zenis-qH.qHVjE6d8afqB	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Zenis-0Q.0Q67Jei8KBe4	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-hI.hIp2k4UxS8Q3	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-OA.OAXxBUHlb6B3	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	1380	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-pv.pvlVo41iNoQw	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\Zenis-Instructions.html	1380	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\Zenis-Instructions.html	1380	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\Zenis-Instructions.html	1380	iis_agent32.exe

C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe
"C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Drops Office document
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops file in system dir
PID:1380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /Quiet
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1908392402-1638536916-27801542-1072352984-484855387-5478566241539925594-1754304342"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /Quiet
1⤵
- Uses Volume Shadow Copy Service COM API
- Deletes shadow copies
PID:1640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Uses Volume Shadow Copy Service COM API
PID:1140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:1084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C WMIC.exe shadowcopy delete
1⤵
PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11090750511362864905-690821326966661351-476877284-1464817633-601390788-630546323"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:1924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Bcdedit.exe /set {default} recoveryenabled no
1⤵
PID:604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1357304515-49625428213239389931465246131-418946311504728357825126170-1064745522"
1⤵
- Suspicious use of SetWindowsHookEx
PID:284

C:\Windows\system32\bcdedit.exe
Bcdedit.exe /set {default} recoveryenabled no
1⤵
- Modifies Boot Configuration Data
PID:756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
PID:204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5025345331680141083-19158288391376973526-4805526921722215271-21176376001281869524"
1⤵
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\system32\bcdedit.exe
Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Modifies Boot Configuration Data
PID:228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wevtutil.exe cl Application
1⤵
PID:236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1059176373-20092165114112753089567963-1675922385-9916231351461502116241192927"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Application
1⤵
- Suspicious use of AdjustPrivilegeToken
- Clears Windows event logs
PID:1848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wevtutil.exe cl Security
1⤵
PID:1200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-196488826112545111336593321462171308451233641194915805797-20827898011394804628"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
1⤵
- Suspicious use of AdjustPrivilegeToken
- Clears Windows event logs
PID:796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wevtutil.exe cl System
1⤵
PID:1864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1235315038-61189685-90689838418030054421422413928-47328221119633480651789024587"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
1⤵
- Suspicious use of AdjustPrivilegeToken
- Clears Windows event logs
PID:1940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 5 && Del /Q /F C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe
1⤵
- Deletes itself
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-804305386937037444-1220658503726070867-159655832-4024920791912928371-1174468790"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Windows\system32\timeout.exe
timeout 5
1⤵
- Timeout.exe delays execution
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

MITRE ATT&CK Additional techniques

T1107

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads