locky | b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

General

Target

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
Size

169KB
MD5

98562209465bec53327e65649a2b8829
SHA1

3a47656ed3df213bd934aa01078a863568fe9f2b
SHA256

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe
SHA512

c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3

Score

10^/10

locky evasion ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3680 bcdedit.exe
2748 bcdedit.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3680	bcdedit.exe
2748	bcdedit.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\EnterExport.raw => C:\Users\Admin\Pictures\EnterExport.raw.59E81.thor	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File renamed	C:\Users\Admin\Pictures\ReadOptimize.raw => C:\Users\Admin\Pictures\ReadOptimize.raw.59E81.thor	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File opened for modification	C:\Users\Admin\Pictures\RequestAdd.tiff	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File renamed	C:\Users\Admin\Pictures\RequestAdd.tiff => C:\Users\Admin\Pictures\RequestAdd.tiff.59E81.thor	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File opened for modification	C:\Users\Admin\Pictures\StopUninstall.tiff	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File renamed	C:\Users\Admin\Pictures\StopUninstall.tiff => C:\Users\Admin\Pictures\StopUninstall.tiff.59E81.thor	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File renamed	C:\Users\Admin\Pictures\TraceSet.tif => C:\Users\Admin\Pictures\TraceSet.tif.59E81.thor	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
File renamed	C:\Users\Admin\Pictures\UnregisterMerge.raw => C:\Users\Admin\Pictures\UnregisterMerge.raw.59E81.thor	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

Drops file in Program Files directory 1 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

204 vssadmin.exe

pid	process
204	vssadmin.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4180	taskkill.exe
4224	taskkill.exe
4292	taskkill.exe
4156	taskkill.exe
4204	taskkill.exe
4316	taskkill.exe
4340	taskkill.exe
4380	taskkill.exe
4368	taskkill.exe
4268	taskkill.exe
4164	taskkill.exe
4188	taskkill.exe
4280	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4904 PING.EXE

pid	process
4904	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

pid	process
640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe
Token: 36	2940	WMIC.exe
Token: SeBackupPrivilege	2596	vssvc.exe
Token: SeRestorePrivilege	2596	vssvc.exe
Token: SeAuditPrivilege	2596	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2940	WMIC.exe
Token: SeSecurityPrivilege	2940	WMIC.exe
Token: SeTakeOwnershipPrivilege	2940	WMIC.exe
Token: SeLoadDriverPrivilege	2940	WMIC.exe
Token: SeSystemProfilePrivilege	2940	WMIC.exe
Token: SeSystemtimePrivilege	2940	WMIC.exe
Token: SeProfSingleProcessPrivilege	2940	WMIC.exe
Token: SeIncBasePriorityPrivilege	2940	WMIC.exe
Token: SeCreatePagefilePrivilege	2940	WMIC.exe
Token: SeBackupPrivilege	2940	WMIC.exe
Token: SeRestorePrivilege	2940	WMIC.exe
Token: SeShutdownPrivilege	2940	WMIC.exe
Token: SeDebugPrivilege	2940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2940	WMIC.exe
Token: SeRemoteShutdownPrivilege	2940	WMIC.exe
Token: SeUndockPrivilege	2940	WMIC.exe
Token: SeManageVolumePrivilege	2940	WMIC.exe
Token: 33	2940	WMIC.exe
Token: 34	2940	WMIC.exe
Token: 35	2940	WMIC.exe
Token: 36	2940	WMIC.exe
Token: SeDebugPrivilege	4180	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	4188	taskkill.exe
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeDebugPrivilege	4340	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4292	taskkill.exe
Token: SeDebugPrivilege	4316	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 640 wrote to memory of 3756	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3756	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3064	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3064	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3240	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3240	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3160	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3160	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 4032	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 4032	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 4032 wrote to memory of 1172	4032	cmd.exe	netsh.exe
PID 4032 wrote to memory of 1172	4032	cmd.exe	netsh.exe
PID 3756 wrote to memory of 204	3756	cmd.exe	vssadmin.exe
PID 3756 wrote to memory of 204	3756	cmd.exe	vssadmin.exe
PID 3240 wrote to memory of 2748	3240	cmd.exe	bcdedit.exe
PID 3240 wrote to memory of 2748	3240	cmd.exe	bcdedit.exe
PID 3064 wrote to memory of 2940	3064	cmd.exe	WMIC.exe
PID 3064 wrote to memory of 2940	3064	cmd.exe	WMIC.exe
PID 3160 wrote to memory of 3680	3160	cmd.exe	bcdedit.exe
PID 3160 wrote to memory of 3680	3160	cmd.exe	bcdedit.exe
PID 640 wrote to memory of 3716	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3716	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3716	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 260	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 260	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 260	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 276	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 276	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 276	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 184	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 184	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 184	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3820	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3820	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3820	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2120	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2120	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2120	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2088	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2088	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2088	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2280	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2280	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2280	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2160	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2160	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 2160	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 632	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 632	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 632	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 1140	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 1140	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 1140	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 884	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 884	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 884	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3860	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3860	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 640 wrote to memory of 3860	640	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3716 wrote to memory of 4156	3716	cmd.exe	taskkill.exe
PID 3820 wrote to memory of 4164	3820	cmd.exe	taskkill.exe
PID 3716 wrote to memory of 4156	3716	cmd.exe	taskkill.exe
PID 3820 wrote to memory of 4164	3820	cmd.exe	taskkill.exe
PID 3716 wrote to memory of 4156	3716	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
"C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:204

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c wmic shadowcopy delete /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:3240

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2748

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c netsh advfirewall set allprofiles state off
2⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
PID:1172

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set {current} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3680

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im note*
2⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im note*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im powerpnt*
2⤵
PID:260

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powerpnt*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im winword*
2⤵
PID:276

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im Exchange*
2⤵
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Exchange*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im tomcat*
2⤵
PID:2088

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tomcat*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im apache*
2⤵
PID:2280

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im apache*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im java*
2⤵
PID:2160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im java*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im python*
2⤵
PID:632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im python*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im post*
2⤵
PID:884

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im post*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im vee*
2⤵
PID:1140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im vee*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im sql*
2⤵
PID:2120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im excel*
2⤵
PID:184

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mys*
2⤵
PID:3860

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mys*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
2⤵
PID:4860

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/184-129-0x0000000000000000-mapping.dmp

Download
memory/204-122-0x0000000000000000-mapping.dmp

Download
memory/260-127-0x0000000000000000-mapping.dmp

Download
memory/276-128-0x0000000000000000-mapping.dmp

Download
memory/632-135-0x0000000000000000-mapping.dmp

Download
memory/640-114-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/884-137-0x0000000000000000-mapping.dmp

Download
memory/1140-136-0x0000000000000000-mapping.dmp

Download
memory/1172-121-0x0000000000000000-mapping.dmp

Download
memory/2088-132-0x0000000000000000-mapping.dmp

Download
memory/2120-131-0x0000000000000000-mapping.dmp

Download
memory/2160-134-0x0000000000000000-mapping.dmp

Download
memory/2280-133-0x0000000000000000-mapping.dmp

Download
memory/2748-123-0x0000000000000000-mapping.dmp

Download
memory/2940-124-0x0000000000000000-mapping.dmp

Download
memory/3064-117-0x0000000000000000-mapping.dmp

Download
memory/3160-119-0x0000000000000000-mapping.dmp

Download
memory/3240-118-0x0000000000000000-mapping.dmp

Download
memory/3680-125-0x0000000000000000-mapping.dmp

Download
memory/3716-126-0x0000000000000000-mapping.dmp

Download
memory/3756-116-0x0000000000000000-mapping.dmp

Download
memory/3820-130-0x0000000000000000-mapping.dmp

Download
memory/3860-138-0x0000000000000000-mapping.dmp

Download
memory/4032-120-0x0000000000000000-mapping.dmp

Download
memory/4156-139-0x0000000000000000-mapping.dmp

Download
memory/4164-140-0x0000000000000000-mapping.dmp

Download
memory/4180-141-0x0000000000000000-mapping.dmp

Download
memory/4188-142-0x0000000000000000-mapping.dmp

Download
memory/4204-143-0x0000000000000000-mapping.dmp

Download
memory/4224-144-0x0000000000000000-mapping.dmp

Download
memory/4268-145-0x0000000000000000-mapping.dmp

Download
memory/4280-146-0x0000000000000000-mapping.dmp

Download
memory/4292-147-0x0000000000000000-mapping.dmp

Download
memory/4316-148-0x0000000000000000-mapping.dmp

Download
memory/4340-149-0x0000000000000000-mapping.dmp

Download
memory/4368-150-0x0000000000000000-mapping.dmp

Download
memory/4380-151-0x0000000000000000-mapping.dmp

Download
memory/4860-152-0x0000000000000000-mapping.dmp

Download
memory/4904-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads