9730e03ca9d052875895b4ad7ba7914f69009fd5fb58d324ee35d3e45f90d768

General

Target

iis_agent32.exe
Sample

191030-cdxr5hrvmn
SHA256

9730e03ca9d052875895b4ad7ba7914f69009fd5fb58d324ee35d3e45f90d768

Score

N/A

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

iis_agent32.exe

pid process

596 iis_agent32.exe

pid	process
596	iis_agent32.exe

Drops file in system dir 64 IoCs

Processes:

iis_agent32.exe

description	ioc	pid	process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Zenis-Zd.Zd5AP3satI5y	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Zenis-Q6.Q6Js4MwsAioG	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\Zenis-Uf.UfCDiltiIZMk	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\Zenis-BX.BXu79BgXQX8j	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\Zenis-20.208pnUkphxq1	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\Zenis-vx.vxWME0QBfLSD	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Zenis-ov.ovuteV6Yej4P	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-fO.fO8bJpAqv9mh	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-Wr.WrMKx8E8CaVy	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	596	iis_agent32.exe
File renamed	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-38.38YRAfjTC4Jg	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\Zenis-Instructions.html	596	iis_agent32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\Zenis-Instructions.html	596	iis_agent32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\Zenis-Instructions.html	596	iis_agent32.exe

Drops Office document 12 IoCs

dropper exploiter maldoc

Processes:

iis_agent32.exe

description	ioc	pid	process
File opened for modification	C:\Users\Admin\AppData\Roaming\ImportOut.ppt	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Desktop\DisableReceive.ppt	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Desktop\StopUnregister.docx	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\ConvertSubmit.xls	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\LimitRead.ppt	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\SplitAssert.xls	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	596	iis_agent32.exe
File opened for modification	C:\Users\Admin\Documents\UnblockUnprotect.xlsx	596	iis_agent32.exe

Timeout.exe delays execution 1 IoCs
evasion

Processes:

timeout.exe

pid process

1176 timeout.exe

pid	process
1176	timeout.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

iis_agent32.exevssvc.exeWMIC.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	596	iis_agent32.exe
Token: SeBackupPrivilege	1468	vssvc.exe
Token: SeRestorePrivilege	1468	vssvc.exe
Token: SeAuditPrivilege	1468	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: SeSecurityPrivilege	2032	wevtutil.exe
Token: SeBackupPrivilege	2032	wevtutil.exe
Token: SeSecurityPrivilege	1284	wevtutil.exe
Token: SeBackupPrivilege	1284	wevtutil.exe
Token: SeSecurityPrivilege	204	wevtutil.exe
Token: SeBackupPrivilege	204	wevtutil.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

iis_agent32.exe

description	pid	process	target process
PID 596 wrote to memory of 1968	596	iis_agent32.exe	cmd.exe
PID 596 wrote to memory of 2044	596	iis_agent32.exe	cmd.exe
PID 596 wrote to memory of 1116	596	iis_agent32.exe	cmd.exe
PID 596 wrote to memory of 232	596	iis_agent32.exe	cmd.exe
PID 596 wrote to memory of 1432	596	iis_agent32.exe	cmd.exe
PID 596 wrote to memory of 544	596	iis_agent32.exe	cmd.exe
PID 596 wrote to memory of 2040	596	iis_agent32.exe	cmd.exe
PID 596 wrote to memory of 1116	596	iis_agent32.exe	cmd.exe

Uses Volume Shadow Copy Service COM API 19 IoCs

ransomware

Processes:

vssadmin.exevssvc.exe

description	ioc	pid	process
Key opened	\Registry\Machine\Software\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1432	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1432	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\TreatAs	1432	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\Progid	1432	vssadmin.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID	1432	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID\	1432	vssadmin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\	1432	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocServer32	1432	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler32	1432	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler	1432	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1468	vssvc.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}	1468	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\TreatAs	1468	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\Progid	1468	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\ProgID\	1468	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\	1468	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocServer32	1468	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler32	1468	vssvc.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}\InprocHandler	1468	vssvc.exe

Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

2032 wevtutil.exe
1284 wevtutil.exe
204 wevtutil.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1116 cmd.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

conhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.execonhost.exe

pid process

1992 conhost.exe
2028 conhost.exe
208 conhost.exe
108 conhost.exe
1964 conhost.exe
1156 conhost.exe
212 conhost.exe
212 conhost.exe
Deletes shadow copies 2 TTPs 2 IoCs
ransomware

Inhibit System Recovery
T1490

Processes:

vssadmin.exeWMIC.exe

pid process

1432 vssadmin.exe
2020 WMIC.exe
Modifies Boot Configuration Data 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

224 bcdedit.exe
1408 bcdedit.exe

pid	process
2032	wevtutil.exe
1284	wevtutil.exe
204	wevtutil.exe

pid	process
1116	cmd.exe

pid	process
1992	conhost.exe
2028	conhost.exe
208	conhost.exe
108	conhost.exe
1964	conhost.exe
1156	conhost.exe
212	conhost.exe
212	conhost.exe

pid	process
1432	vssadmin.exe
2020	WMIC.exe

pid	process
224	bcdedit.exe
1408	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe
"C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in system dir
- Drops Office document
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /Quiet
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "152746991617797927937621948-813802796-9066468752032384393-1647537477-35610873"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /Quiet
1⤵
- Uses Volume Shadow Copy Service COM API
- Deletes shadow copies
PID:1432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Uses Volume Shadow Copy Service COM API
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:1496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C WMIC.exe shadowcopy delete
1⤵
PID:2044

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16667158601883710953-602057339277282595-129848417-1485555278-2141958844-1525539551"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\System32\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
1⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes shadow copies
PID:2020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Bcdedit.exe /set {default} recoveryenabled no
1⤵
PID:1116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1138862790176837176690911350724443424918102909263872890522038853367-812709330"
1⤵
- Suspicious use of SetWindowsHookEx
PID:208

C:\Windows\system32\bcdedit.exe
Bcdedit.exe /set {default} recoveryenabled no
1⤵
- Modifies Boot Configuration Data
PID:224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
PID:232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-978576110-481346106-1102864460-15362863881583620561-1618847635-954596868150963763"
1⤵
- Suspicious use of SetWindowsHookEx
PID:108

C:\Windows\system32\bcdedit.exe
Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Modifies Boot Configuration Data
PID:1408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wevtutil.exe cl Application
1⤵
PID:1432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2140517884-16849149-12054554319905670011927981335-164935125-2070858680220810265"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Application
1⤵
- Suspicious use of AdjustPrivilegeToken
- Clears Windows event logs
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wevtutil.exe cl Security
1⤵
PID:544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1473418552788637786-1774555455-1316794554-165781596516314669141730327226-944160666"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
1⤵
- Suspicious use of AdjustPrivilegeToken
- Clears Windows event logs
PID:1284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wevtutil.exe cl System
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1335176544-1294711942-1322247224599937889-741851558-8580353821051353222036059672"
1⤵
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
1⤵
- Suspicious use of AdjustPrivilegeToken
- Clears Windows event logs
PID:204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout 5 && Del /Q /F C:\Users\Admin\AppData\Local\Temp\iis_agent32.exe
1⤵
- Deletes itself
PID:1116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-334251469413210185499720249345694871-11205306123477132641153833510-1961310043"
1⤵
- Suspicious use of SetWindowsHookEx
PID:212

C:\Windows\system32\timeout.exe
timeout 5
1⤵
- Timeout.exe delays execution
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

MITRE ATT&CK Additional techniques

T1107

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads