162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4

General

Target

162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
Size

1.3MB
MD5

51fd05fa1ff6631a2eb929677e0156e1
SHA1

a21e07517c61d11c3bf85768e77981f591fe6f75
SHA256

162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4
SHA512

2cc92cd023295ca62333f5de64d3360800363c690b0f9707e50ffe3d696c2a429a57088f1293eff34b315ce6f7470efbfa870dbc427911bc050b0353fbf06aaa

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 7 IoCs

Processes:

162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\desktop.ini	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe

Drops file in Program Files directory 64 IoCs

Processes:

162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app_1.0.300.v20140228-1829.jar	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\SQLiteWrapper.winmd	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-32.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\C2R64.dll	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Become_a_Star_.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\12d.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4665_20x20x32.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\derby_common.bat	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\toast.scale-150.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\w2k_lsa_auth.dll	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\FileSystemMetadata.xml	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gw_16x11.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon96x96.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\softokn3.dll.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_LogoSmall.scale-100.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\particles.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\System\ole db\xmlrw.dll.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Microsoft.Graphics.Canvas.winmd	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\ShowLeaderboardButton.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dcpr.dll.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\69_40x40x32.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_11.19.19003.0_x64__8wekyb3d8bbwe\AppxManifest.xml	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-36.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.LEX	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxMail.exe	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_zh_CN.jar.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.boot.tree.dat	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.RsClient.dll.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\8.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\lobby_deck_style_mobile.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\SurfaceProfiles\canvas12oz_512x512_nm.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WatchRepair.vstm.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHEV.DLL.[Openfileyou@protonmail.com][MJ-WP5283196407].Snoopdogg	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsMedTile.scale-100.png	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe

NTFS ADS 2 IoCs

Processes:

162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\zh-TW\8:뜠Öͥt.ex	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:㯠Ú΍t.ex	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe

pid	process
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 4804 wrote to memory of 5076	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 5076	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 5076	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 5076 wrote to memory of 4252	5076	cmd.exe	net.exe
PID 5076 wrote to memory of 4252	5076	cmd.exe	net.exe
PID 5076 wrote to memory of 4252	5076	cmd.exe	net.exe
PID 4252 wrote to memory of 3420	4252	net.exe	net1.exe
PID 4252 wrote to memory of 3420	4252	net.exe	net1.exe
PID 4252 wrote to memory of 3420	4252	net.exe	net1.exe
PID 4804 wrote to memory of 824	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 824	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 824	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 3948	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 3948	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 3948	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 4292	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 4292	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 4292	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 532	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 532	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 532	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 532 wrote to memory of 940	532	cmd.exe	net.exe
PID 532 wrote to memory of 940	532	cmd.exe	net.exe
PID 532 wrote to memory of 940	532	cmd.exe	net.exe
PID 940 wrote to memory of 652	940	net.exe	net1.exe
PID 940 wrote to memory of 652	940	net.exe	net1.exe
PID 940 wrote to memory of 652	940	net.exe	net1.exe
PID 4804 wrote to memory of 1204	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 1204	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 1204	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 1204 wrote to memory of 1300	1204	cmd.exe	net.exe
PID 1204 wrote to memory of 1300	1204	cmd.exe	net.exe
PID 1204 wrote to memory of 1300	1204	cmd.exe	net.exe
PID 1300 wrote to memory of 1400	1300	net.exe	net1.exe
PID 1300 wrote to memory of 1400	1300	net.exe	net1.exe
PID 1300 wrote to memory of 1400	1300	net.exe	net1.exe
PID 4804 wrote to memory of 1596	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 1596	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 1596	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 1596 wrote to memory of 1732	1596	cmd.exe	net.exe
PID 1596 wrote to memory of 1732	1596	cmd.exe	net.exe
PID 1596 wrote to memory of 1732	1596	cmd.exe	net.exe
PID 1732 wrote to memory of 1876	1732	net.exe	net1.exe
PID 1732 wrote to memory of 1876	1732	net.exe	net1.exe
PID 1732 wrote to memory of 1876	1732	net.exe	net1.exe
PID 4804 wrote to memory of 2076	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 2076	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 2076	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 2076 wrote to memory of 2500	2076	cmd.exe	netsh.exe
PID 2076 wrote to memory of 2500	2076	cmd.exe	netsh.exe
PID 2076 wrote to memory of 2500	2076	cmd.exe	netsh.exe
PID 4804 wrote to memory of 2584	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 2584	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 2584	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 2584 wrote to memory of 3764	2584	cmd.exe	netsh.exe
PID 2584 wrote to memory of 3764	2584	cmd.exe	netsh.exe
PID 2584 wrote to memory of 3764	2584	cmd.exe	netsh.exe
PID 4804 wrote to memory of 2072	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 2072	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 4804 wrote to memory of 2072	4804	162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe	cmd.exe
PID 2072 wrote to memory of 2200	2072	cmd.exe	net.exe
PID 2072 wrote to memory of 2200	2072	cmd.exe	net.exe
PID 2072 wrote to memory of 2200	2072	cmd.exe	net.exe
PID 2200 wrote to memory of 4440	2200	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe
"C:\Users\Admin\AppData\Local\Temp\162c90e6e8a1b019ed7272b16b2307cbbdb0bac09acec116fb6c3619c86794c4.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
PID:4568

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:4600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:4620

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:4100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
PID:4776

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
PID:1460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/220-32-0x0000000000000000-mapping.dmp

Download
memory/532-8-0x0000000000000000-mapping.dmp

Download
memory/652-10-0x0000000000000000-mapping.dmp

Download
memory/824-5-0x0000000000000000-mapping.dmp

Download
memory/940-9-0x0000000000000000-mapping.dmp

Download
memory/1204-11-0x0000000000000000-mapping.dmp

Download
memory/1300-12-0x0000000000000000-mapping.dmp

Download
memory/1400-13-0x0000000000000000-mapping.dmp

Download
memory/1460-31-0x0000000000000000-mapping.dmp

Download
memory/1596-14-0x0000000000000000-mapping.dmp

Download
memory/1732-15-0x0000000000000000-mapping.dmp

Download
memory/1876-16-0x0000000000000000-mapping.dmp

Download
memory/2072-21-0x0000000000000000-mapping.dmp

Download
memory/2076-17-0x0000000000000000-mapping.dmp

Download
memory/2200-22-0x0000000000000000-mapping.dmp

Download
memory/2500-18-0x0000000000000000-mapping.dmp

Download
memory/2584-19-0x0000000000000000-mapping.dmp

Download
memory/2628-29-0x0000000000000000-mapping.dmp

Download
memory/3420-4-0x0000000000000000-mapping.dmp

Download
memory/3764-20-0x0000000000000000-mapping.dmp

Download
memory/3948-6-0x0000000000000000-mapping.dmp

Download
memory/4100-28-0x0000000000000000-mapping.dmp

Download
memory/4252-3-0x0000000000000000-mapping.dmp

Download
memory/4292-7-0x0000000000000000-mapping.dmp

Download
memory/4440-23-0x0000000000000000-mapping.dmp

Download
memory/4568-24-0x0000000000000000-mapping.dmp

Download
memory/4600-25-0x0000000000000000-mapping.dmp

Download
memory/4620-27-0x0000000000000000-mapping.dmp

Download
memory/4632-26-0x0000000000000000-mapping.dmp

Download
memory/4776-30-0x0000000000000000-mapping.dmp

Download
memory/4804-34-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/4804-33-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/4804-35-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/4804-49-0x0000000002C60000-0x0000000002C61000-memory.dmp

Filesize
4KB

Download
memory/4804-50-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/5076-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads