21420b8630260dae7f0ea14a319a8b3ae6910def98599109b365f710e835b9c4

General

Target

wyooy@aol.com.exe
Size

1.3MB
MD5

645d774a869c582b2c46beed455321d4
SHA1

e94862c25377373f54ce668051df0d95d3746514
SHA256

21420b8630260dae7f0ea14a319a8b3ae6910def98599109b365f710e835b9c4
SHA512

2c7cc053ed79e52f7e2ae508d2d832e6efa0b9a24dc71158fbc25d829c3d9ad8aa8f5c04e7fff94152dacc04cc1d7604da147ee201d900efcbcc62fe95f15b81

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 7 IoCs

Processes:

wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	wyooy@aol.com.exe
File created	C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	wyooy@aol.com.exe
File created	C:\Program Files\desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	wyooy@aol.com.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	wyooy@aol.com.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	wyooy@aol.com.exe

Drops file in Program Files directory 64 IoCs

Processes:

wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SPREADSHEETCOMPARE.16.1033.hxn	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msowerrelief.dll.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.ConnectionUI.Dialog.dll.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\resources.jar	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\BackupDismount.3gp.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ul-oob.xrm-ms	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util.xml.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages@4x.png	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sv.pak	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\title.htm	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\TIME.XML	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\US_export_policy.jar	wyooy@aol.com.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\manifest.json.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PowerPointCombinedFloatieModel.bin.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.Themes.dll.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-tabcontrol_zh_CN.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Training.potx	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.AuditItems.Resources.dll	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\upe.dll	wyooy@aol.com.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\org-openide-filesystems_zh_CN.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	wyooy@aol.com.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoCanary.png.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ko_KR.jar.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.[wyooy@tutanota.com][MJ-QJ7862543901].hydra	wyooy@aol.com.exe

NTFS ADS 2 IoCs

Processes:

wyooy@aol.com.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\zh-TW\8:늨Qŭt.ex	wyooy@aol.com.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:둘QƁt.ex	wyooy@aol.com.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

wyooy@aol.com.exe

pid	process
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe
1000	wyooy@aol.com.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wyooy@aol.com.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1000 wrote to memory of 2548	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 2548	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 2548	1000	wyooy@aol.com.exe	cmd.exe
PID 2548 wrote to memory of 3540	2548	cmd.exe	net.exe
PID 2548 wrote to memory of 3540	2548	cmd.exe	net.exe
PID 2548 wrote to memory of 3540	2548	cmd.exe	net.exe
PID 3540 wrote to memory of 636	3540	net.exe	net1.exe
PID 3540 wrote to memory of 636	3540	net.exe	net1.exe
PID 3540 wrote to memory of 636	3540	net.exe	net1.exe
PID 1000 wrote to memory of 3000	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3000	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3000	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3028	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3028	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3028	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 1196	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 1196	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 1196	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3716	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3716	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3716	1000	wyooy@aol.com.exe	cmd.exe
PID 3716 wrote to memory of 3892	3716	cmd.exe	net.exe
PID 3716 wrote to memory of 3892	3716	cmd.exe	net.exe
PID 3716 wrote to memory of 3892	3716	cmd.exe	net.exe
PID 3892 wrote to memory of 1016	3892	net.exe	net1.exe
PID 3892 wrote to memory of 1016	3892	net.exe	net1.exe
PID 3892 wrote to memory of 1016	3892	net.exe	net1.exe
PID 1000 wrote to memory of 3184	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3184	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3184	1000	wyooy@aol.com.exe	cmd.exe
PID 3184 wrote to memory of 2560	3184	cmd.exe	net.exe
PID 3184 wrote to memory of 2560	3184	cmd.exe	net.exe
PID 3184 wrote to memory of 2560	3184	cmd.exe	net.exe
PID 2560 wrote to memory of 2880	2560	net.exe	net1.exe
PID 2560 wrote to memory of 2880	2560	net.exe	net1.exe
PID 2560 wrote to memory of 2880	2560	net.exe	net1.exe
PID 1000 wrote to memory of 204	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 204	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 204	1000	wyooy@aol.com.exe	cmd.exe
PID 204 wrote to memory of 1588	204	cmd.exe	net.exe
PID 204 wrote to memory of 1588	204	cmd.exe	net.exe
PID 204 wrote to memory of 1588	204	cmd.exe	net.exe
PID 1588 wrote to memory of 2908	1588	net.exe	net1.exe
PID 1588 wrote to memory of 2908	1588	net.exe	net1.exe
PID 1588 wrote to memory of 2908	1588	net.exe	net1.exe
PID 1000 wrote to memory of 1308	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 1308	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 1308	1000	wyooy@aol.com.exe	cmd.exe
PID 1308 wrote to memory of 2700	1308	cmd.exe	netsh.exe
PID 1308 wrote to memory of 2700	1308	cmd.exe	netsh.exe
PID 1308 wrote to memory of 2700	1308	cmd.exe	netsh.exe
PID 1000 wrote to memory of 3176	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3176	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3176	1000	wyooy@aol.com.exe	cmd.exe
PID 3176 wrote to memory of 1196	3176	cmd.exe	netsh.exe
PID 3176 wrote to memory of 1196	3176	cmd.exe	netsh.exe
PID 3176 wrote to memory of 1196	3176	cmd.exe	netsh.exe
PID 1000 wrote to memory of 3924	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3924	1000	wyooy@aol.com.exe	cmd.exe
PID 1000 wrote to memory of 3924	1000	wyooy@aol.com.exe	cmd.exe
PID 3924 wrote to memory of 2136	3924	cmd.exe	net.exe
PID 3924 wrote to memory of 2136	3924	cmd.exe	net.exe
PID 3924 wrote to memory of 2136	3924	cmd.exe	net.exe
PID 2136 wrote to memory of 2608	2136	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\wyooy@aol.com.exe
"C:\Users\Admin\AppData\Local\Temp\wyooy@aol.com.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSDTC
2⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\net.exe
net stop MSDTC
3⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSDTC
4⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
2⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\net.exe
net stop SQLSERVERAGENT
3⤵
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLSERVERAGENT
4⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop vds
2⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\net.exe
net stop vds
3⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop vds
4⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
2⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
2⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable
3⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLWriter
2⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop SQLBrowser
2⤵
PID:3828

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:3184

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
2⤵
PID:3452

C:\Windows\SysWOW64\net.exe
net stop MSSQLSERVER
3⤵
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLSERVER
4⤵
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
2⤵
PID:1328

C:\Windows\SysWOW64\net.exe
net stop MSSQL$CONTOSO1
3⤵
PID:1492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$CONTOSO1
4⤵
PID:3548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/204-126-0x0000000000000000-mapping.dmp

Download
memory/636-116-0x0000000000000000-mapping.dmp

Download
memory/1016-122-0x0000000000000000-mapping.dmp

Download
memory/1196-119-0x0000000000000000-mapping.dmp

Download
memory/1196-132-0x0000000000000000-mapping.dmp

Download
memory/1308-129-0x0000000000000000-mapping.dmp

Download
memory/1328-142-0x0000000000000000-mapping.dmp

Download
memory/1492-143-0x0000000000000000-mapping.dmp

Download
memory/1588-127-0x0000000000000000-mapping.dmp

Download
memory/2136-134-0x0000000000000000-mapping.dmp

Download
memory/2548-114-0x0000000000000000-mapping.dmp

Download
memory/2560-124-0x0000000000000000-mapping.dmp

Download
memory/2608-135-0x0000000000000000-mapping.dmp

Download
memory/2664-138-0x0000000000000000-mapping.dmp

Download
memory/2700-130-0x0000000000000000-mapping.dmp

Download
memory/2880-125-0x0000000000000000-mapping.dmp

Download
memory/2888-140-0x0000000000000000-mapping.dmp

Download
memory/2908-128-0x0000000000000000-mapping.dmp

Download
memory/3000-117-0x0000000000000000-mapping.dmp

Download
memory/3028-118-0x0000000000000000-mapping.dmp

Download
memory/3176-131-0x0000000000000000-mapping.dmp

Download
memory/3184-123-0x0000000000000000-mapping.dmp

Download
memory/3184-137-0x0000000000000000-mapping.dmp

Download
memory/3420-141-0x0000000000000000-mapping.dmp

Download
memory/3452-139-0x0000000000000000-mapping.dmp

Download
memory/3540-115-0x0000000000000000-mapping.dmp

Download
memory/3548-144-0x0000000000000000-mapping.dmp

Download
memory/3716-120-0x0000000000000000-mapping.dmp

Download
memory/3828-136-0x0000000000000000-mapping.dmp

Download
memory/3892-121-0x0000000000000000-mapping.dmp

Download
memory/3924-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads