babuk | ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76

General

Target

ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
Size

79KB
MD5

d6fc9e993c69aceb7a5501641fc823fa
SHA1

7839b437b279d3f0ec22a57df7ea84ad01322c17
SHA256

ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76
SHA512

afd92c03d357ebbccd495017d5f7738ab83fadd865f008037a30ed326768c583acbb8858da73aea85b1b3c37d3dd4baeec4d0c9a0a09dd0bac26b15d65d7b3c6

Score

10^/10

babuk ransomware

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note

############## [ babuk ransomware greetings you ] ############## Introduction ---------------------------------------------- Congratulations! If you see this note, your company've been randomly chosen for security audit and your company haven't passed it. Unfortunately your servers are encrypted, backups are encrtypted too or deleted. Our enctyption algorythms are strong and it's impossible to decrypt your stuff without our help. Only one method to restore all your network and systems is - to buy our universal decryption software. Follow simple steps that discribed down below and your data will be saved. In case you ignore this situation, the consequences could me much serious, than you can imagine. Guarantees ---------------------------------------------- The hack and system encryption wasn't compromised by your competitors or any other 3rd party, this is just and only our initiative and only thing we interested is profit. Accurding the previous sentence We are very much value of our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We guarantee full support and help through the all decryption process. As the proof of our abilities and honesty, we can decrypt few small files for free, check the link provided and ask any questions. Data leakage ---------------------------------------------- We have copied some quantity of data from your servers. Check those proofs and estimate the seriousness of consequences which can occur in case you ignore us: http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/7907aef660251acf19895fb5a805cefa7d37819ccfad83835d1492d5d96bf286/ This link is private and only you can see it. Use tor browser to open link. Ignoring the interaction with us brings you the publishing your data in our public blog http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/ Contact ---------------------------------------------- 1) Download tor browser: https://www.torproject.org/download/ 2) Open it 3) Follow this link in tor browser: http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/9091cf99461b326d4bf5ed0eaa849a7c58e9678a426aa910392ea3e1f8cc85f6 * 6 simple steps do minimize harm from ransomware. ----------------------------------------------------------------------------------------------------------------- Thousands of companies around the world are struggling on ransomware these days, and the most of companies are making the same mistakes again and again. Let’s figure out how to minimize harm and do not be a dumb and pathetic donkey which will make fun for journalists and so on.. 1. If you see small fella malicious .exe file never load it to virustotal.com or any other virus researching website. Otherwise the info about the hack is not a secret anymore. The fact that your company is under ransomware attack is already known by filthy predators data security agents who will post in their pity twitters the fresh known news “OMG ANOTHER RANSOMWARE NOW IT’S “Your company name LLC!!!!! We are all gonna die aaaaaa halp” 2. No any public announcements about the hack or data leakage. And do not applicate to law enforcement. If you commit this actions, more serious consequences can occur and you pay much more than a ransom amount. Law structures like GDPR in this case can oblige you to pay huge fine. 3. As soon as you see your network compromised, follow the link inside any note and follow instructions. 4. Calm your employees. Explain them that this is a drill. And you test your network security systems. 5. If you decide to hire the data recovery company, obligate them to do not inform anyone and any third party about details of the attack. We strongly do not recommend to cooperate with data recovery company, because they do absolutely nothing that you can do by yourself and take money for it. all communications with hackers could be conducted by your it department indipendently without any extra payments. 6. Do not try to decrypt your data via 3rd party software. Most of ransomware use strong encryption algorthm and you can harm your files by using 3rd party decryption software.

URLs

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/blog/7907aef660251acf19895fb5a805cefa7d37819ccfad83835d1492d5d96bf286/

http://wavbeudogz6byhnardd2lkp2jafims3j7tj6k6qnywchn2csngvtffqd.onion/

http://tsu2dpiiv4zjzfyq73eibemit2qyrimbbb6lhpm6n5ihgallom5lhdyd.onion/9091cf99461b326d4bf5ed0eaa849a7c58e9678a426aa910392ea3e1f8cc85f6

Signatures

Babuk Locker
RaaS first seen in 2021 initially called Vasa Locker.
ransomware babuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 20 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SplitRedo.png.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteDisconnect.tiff	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\CopyReset.raw.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\MergeUnregister.tiff	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\MergeUnregister.tiff.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File renamed	C:\Users\Admin\Pictures\ResolveRegister.tif => C:\Users\Admin\Pictures\ResolveRegister.tif.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File renamed	C:\Users\Admin\Pictures\StopEdit.raw => C:\Users\Admin\Pictures\StopEdit.raw.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File renamed	C:\Users\Admin\Pictures\SplitRedo.png => C:\Users\Admin\Pictures\SplitRedo.png.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\BlockConvert.png.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File renamed	C:\Users\Admin\Pictures\CopyReset.raw => C:\Users\Admin\Pictures\CopyReset.raw.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File renamed	C:\Users\Admin\Pictures\RestartEdit.raw => C:\Users\Admin\Pictures\RestartEdit.raw.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\StopEdit.raw.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File renamed	C:\Users\Admin\Pictures\BlockConvert.png => C:\Users\Admin\Pictures\BlockConvert.png.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File renamed	C:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\JoinOut.tif.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveRegister.tif.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\RestartEdit.raw.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File renamed	C:\Users\Admin\Pictures\CompleteDisconnect.tiff => C:\Users\Admin\Pictures\CompleteDisconnect.tiff.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteDisconnect.tiff.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File renamed	C:\Users\Admin\Pictures\MergeUnregister.tiff => C:\Users\Admin\Pictures\MergeUnregister.tiff.babyk	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe

description	ioc	process
File opened (read-only)	\??\F:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\G:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\H:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\X:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\M:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\Q:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\E:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\Y:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\A:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\K:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\L:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\V:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\N:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\W:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\T:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\O:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\P:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\J:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\S:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\Z:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\B:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\R:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\U:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
File opened (read-only)	\??\I:	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1604 vssadmin.exe
3956 vssadmin.exe
Runs net.exe

pid	process
1604	vssadmin.exe
3956	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe

pid	process
860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3992 vssvc.exe
Token: SeRestorePrivilege 3992 vssvc.exe
Token: SeAuditPrivilege 3992 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3992	vssvc.exe
Token: SeRestorePrivilege	3992	vssvc.exe
Token: SeAuditPrivilege	3992	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exe

description	pid	process	target process
PID 860 wrote to memory of 1964	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 1964	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 1964 wrote to memory of 2072	1964	cmd.exe	net.exe
PID 1964 wrote to memory of 2072	1964	cmd.exe	net.exe
PID 2072 wrote to memory of 3248	2072	net.exe	net1.exe
PID 2072 wrote to memory of 3248	2072	net.exe	net1.exe
PID 860 wrote to memory of 2840	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 2840	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 2840 wrote to memory of 512	2840	cmd.exe	net.exe
PID 2840 wrote to memory of 512	2840	cmd.exe	net.exe
PID 512 wrote to memory of 1880	512	net.exe	net1.exe
PID 512 wrote to memory of 1880	512	net.exe	net1.exe
PID 860 wrote to memory of 200	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 200	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 200 wrote to memory of 940	200	cmd.exe	net.exe
PID 200 wrote to memory of 940	200	cmd.exe	net.exe
PID 940 wrote to memory of 2304	940	net.exe	net1.exe
PID 940 wrote to memory of 2304	940	net.exe	net1.exe
PID 860 wrote to memory of 3992	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 3992	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 3992 wrote to memory of 3396	3992	cmd.exe	net.exe
PID 3992 wrote to memory of 3396	3992	cmd.exe	net.exe
PID 3396 wrote to memory of 3648	3396	net.exe	net1.exe
PID 3396 wrote to memory of 3648	3396	net.exe	net1.exe
PID 860 wrote to memory of 1316	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 1316	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 1316 wrote to memory of 2124	1316	cmd.exe	net.exe
PID 1316 wrote to memory of 2124	1316	cmd.exe	net.exe
PID 2124 wrote to memory of 2144	2124	net.exe	net1.exe
PID 2124 wrote to memory of 2144	2124	net.exe	net1.exe
PID 860 wrote to memory of 2236	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 2236	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 2236 wrote to memory of 912	2236	cmd.exe	net.exe
PID 2236 wrote to memory of 912	2236	cmd.exe	net.exe
PID 912 wrote to memory of 3920	912	net.exe	net1.exe
PID 912 wrote to memory of 3920	912	net.exe	net1.exe
PID 860 wrote to memory of 3368	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 3368	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 3368 wrote to memory of 1788	3368	cmd.exe	net.exe
PID 3368 wrote to memory of 1788	3368	cmd.exe	net.exe
PID 1788 wrote to memory of 1972	1788	net.exe	net1.exe
PID 1788 wrote to memory of 1972	1788	net.exe	net1.exe
PID 860 wrote to memory of 3956	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 3956	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 3956 wrote to memory of 2072	3956	cmd.exe	net.exe
PID 3956 wrote to memory of 2072	3956	cmd.exe	net.exe
PID 2072 wrote to memory of 3292	2072	net.exe	net1.exe
PID 2072 wrote to memory of 3292	2072	net.exe	net1.exe
PID 860 wrote to memory of 580	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 580	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 580 wrote to memory of 416	580	cmd.exe	net.exe
PID 580 wrote to memory of 416	580	cmd.exe	net.exe
PID 416 wrote to memory of 2844	416	net.exe	net1.exe
PID 416 wrote to memory of 2844	416	net.exe	net1.exe
PID 860 wrote to memory of 188	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 188	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 188 wrote to memory of 2404	188	cmd.exe	net.exe
PID 188 wrote to memory of 2404	188	cmd.exe	net.exe
PID 2404 wrote to memory of 184	2404	net.exe	net1.exe
PID 2404 wrote to memory of 184	2404	net.exe	net1.exe
PID 860 wrote to memory of 740	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 860 wrote to memory of 740	860	ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe	cmd.exe
PID 740 wrote to memory of 2804	740	cmd.exe	net.exe
PID 740 wrote to memory of 2804	740	cmd.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe
"C:\Users\Admin\AppData\Local\Temp\ed0f154481261e9a08dcc4f7e4d396bce75526811216106daa70d4148c660d76.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop mssqlserver /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\net.exe
net stop mssqlserver /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mssqlserver /y
4⤵
PID:3248

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop vss /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\system32\net.exe
net stop vss /y
3⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop vss /y
4⤵
PID:1880

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop sql /y
2⤵
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\system32\net.exe
net stop sql /y
3⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sql /y
4⤵
PID:2304

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop svc$ /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\system32\net.exe
net stop svc$ /y
3⤵
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop svc$ /y
4⤵
PID:3648

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop memtas /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\net.exe
net stop memtas /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop memtas /y
4⤵
PID:2144

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop mepocs /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\net.exe
net stop mepocs /y
3⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mepocs /y
4⤵
PID:3920

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop sophos /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\system32\net.exe
net stop sophos /y
3⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
4⤵
PID:1972

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop veeam /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\system32\net.exe
net stop veeam /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
4⤵
PID:3292

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop backup /y
2⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\net.exe
net stop backup /y
3⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop backup /y
4⤵
PID:2844

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxVss /y
2⤵
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\system32\net.exe
net stop GxVss /y
3⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxVss /y
4⤵
PID:184

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxBlr /y
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\net.exe
net stop GxBlr /y
3⤵
PID:2804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxBlr /y
4⤵
PID:496

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxFWD /y
2⤵
PID:764

C:\Windows\system32\net.exe
net stop GxFWD /y
3⤵
PID:2192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxFWD /y
4⤵
PID:2240

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxCVD /y
2⤵
PID:2244

C:\Windows\system32\net.exe
net stop GxCVD /y
3⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxCVD /y
4⤵
PID:2512

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GxCIMgr /y
2⤵
PID:3420

C:\Windows\system32\net.exe
net stop GxCIMgr /y
3⤵
PID:2000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GxCIMgr /y
4⤵
PID:2324

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop DefWatch /y
2⤵
PID:3796

C:\Windows\system32\net.exe
net stop DefWatch /y
3⤵
PID:1848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
4⤵
PID:3216

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ccEvtMgr /y
2⤵
PID:512

C:\Windows\system32\net.exe
net stop ccEvtMgr /y
3⤵
PID:2624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
4⤵
PID:192

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop ccSetMgr /y
2⤵
PID:1664

C:\Windows\system32\net.exe
net stop ccSetMgr /y
3⤵
PID:3060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
4⤵
PID:2404

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop SavRoam /y
2⤵
PID:3752

C:\Windows\system32\net.exe
net stop SavRoam /y
3⤵
PID:1324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
4⤵
PID:2816

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop RTVscan /y
2⤵
PID:2296

C:\Windows\system32\net.exe
net stop RTVscan /y
3⤵
PID:2120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
4⤵
PID:2164

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop QBFCService /y
2⤵
PID:2172

C:\Windows\system32\net.exe
net stop QBFCService /y
3⤵
PID:3920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
4⤵
PID:60

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop QBIDPService /y
2⤵
PID:2324

C:\Windows\system32\net.exe
net stop QBIDPService /y
3⤵
PID:3640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
4⤵
PID:2072

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop Intuit.QuickBooks.FCS /y
2⤵
PID:3216

C:\Windows\system32\net.exe
net stop Intuit.QuickBooks.FCS /y
3⤵
PID:2848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
4⤵
PID:3796

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop QBCFMonitorService /y
2⤵
PID:3592

C:\Windows\system32\net.exe
net stop QBCFMonitorService /y
3⤵
PID:1880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
4⤵
PID:3280

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop YooBackup /y
2⤵
PID:2624

C:\Windows\system32\net.exe
net stop YooBackup /y
3⤵
PID:1256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooBackup /y
4⤵
PID:2340

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop YooIT /y
2⤵
PID:1856

C:\Windows\system32\net.exe
net stop YooIT /y
3⤵
PID:2148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop YooIT /y
4⤵
PID:1020

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop zhudongfangyu /y
2⤵
PID:3648

C:\Windows\system32\net.exe
net stop zhudongfangyu /y
3⤵
PID:764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
4⤵
PID:1200

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop sophos /y
2⤵
PID:2144

C:\Windows\system32\net.exe
net stop sophos /y
3⤵
PID:2240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
4⤵
PID:3620

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop stc_raw_agent /y
2⤵
PID:60

C:\Windows\system32\net.exe
net stop stc_raw_agent /y
3⤵
PID:2152

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
4⤵
PID:3920

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VSNAPVSS /y
2⤵
PID:3956

C:\Windows\system32\net.exe
net stop VSNAPVSS /y
3⤵
PID:1972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
4⤵
PID:3204

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamTransportSvc /y
2⤵
PID:3496

C:\Windows\system32\net.exe
net stop VeeamTransportSvc /y
3⤵
PID:2848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
4⤵
PID:736

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamDeploymentService /y
2⤵
PID:584

C:\Windows\system32\net.exe
net stop VeeamDeploymentService /y
3⤵
PID:1880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamDeploymentService /y
4⤵
PID:3592

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop VeeamNFSSvc /y
2⤵
PID:1604

C:\Windows\system32\net.exe
net stop VeeamNFSSvc /y
3⤵
PID:768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop VeeamNFSSvc /y
4⤵
PID:2624

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop veeam /y
2⤵
PID:2340

C:\Windows\system32\net.exe
net stop veeam /y
3⤵
PID:2148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop veeam /y
4⤵
PID:1856

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop PDVFSService /y
2⤵
PID:972

C:\Windows\system32\net.exe
net stop PDVFSService /y
3⤵
PID:764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop PDVFSService /y
4⤵
PID:3648

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecVSSProvider /y
2⤵
PID:2296

C:\Windows\system32\net.exe
net stop BackupExecVSSProvider /y
3⤵
PID:2240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecVSSProvider /y
4⤵
PID:2144

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecAgentAccelerator /y
2⤵
PID:588

C:\Windows\system32\net.exe
net stop BackupExecAgentAccelerator /y
3⤵
PID:384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
4⤵
PID:3916

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecAgentBrowser /y
2⤵
PID:3424

C:\Windows\system32\net.exe
net stop BackupExecAgentBrowser /y
3⤵
PID:1972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
4⤵
PID:3248

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecDiveciMediaService /y
2⤵
PID:2840

C:\Windows\system32\net.exe
net stop BackupExecDiveciMediaService /y
3⤵
PID:2848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
4⤵
PID:3496

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecJobEngine /y
2⤵
PID:508

C:\Windows\system32\net.exe
net stop BackupExecJobEngine /y
3⤵
PID:1880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
4⤵
PID:584

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecManagementService /y
2⤵
PID:1664

C:\Windows\system32\net.exe
net stop BackupExecManagementService /y
3⤵
PID:768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
4⤵
PID:3548

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop BackupExecRPCService /y
2⤵
PID:3000

C:\Windows\system32\net.exe
net stop BackupExecRPCService /y
3⤵
PID:2308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BackupExecRPCService /y
4⤵
PID:2340

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop AcrSch2Svc /y
2⤵
PID:1172

C:\Windows\system32\net.exe
net stop AcrSch2Svc /y
3⤵
PID:764

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
4⤵
PID:1200

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop AcronisAgent /y
2⤵
PID:3540

C:\Windows\system32\net.exe
net stop AcronisAgent /y
3⤵
PID:2244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
4⤵
PID:2236

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop CASAD2DWebSvc /y
2⤵
PID:2144

C:\Windows\system32\net.exe
net stop CASAD2DWebSvc /y
3⤵
PID:384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
4⤵
PID:3212

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop CAARCUpdateSvc /y
2⤵
PID:3876

C:\Windows\system32\net.exe
net stop CAARCUpdateSvc /y
3⤵
PID:1972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
4⤵
PID:3424

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c net stop GoogleChromeElevationService /y
2⤵
PID:1964

C:\Windows\system32\net.exe
net stop GoogleChromeElevationService /y
3⤵
PID:2848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop GoogleChromeElevationService /y
4⤵
PID:3216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
PID:652

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
2⤵
PID:2272

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-173-0x0000000000000000-mapping.dmp

Download
memory/184-143-0x0000000000000000-mapping.dmp

Download
memory/188-141-0x0000000000000000-mapping.dmp

Download
memory/192-161-0x0000000000000000-mapping.dmp

Download
memory/200-120-0x0000000000000000-mapping.dmp

Download
memory/416-139-0x0000000000000000-mapping.dmp

Download
memory/496-146-0x0000000000000000-mapping.dmp

Download
memory/512-118-0x0000000000000000-mapping.dmp

Download
memory/512-159-0x0000000000000000-mapping.dmp

Download
memory/580-138-0x0000000000000000-mapping.dmp

Download
memory/740-144-0x0000000000000000-mapping.dmp

Download
memory/764-147-0x0000000000000000-mapping.dmp

Download
memory/912-130-0x0000000000000000-mapping.dmp

Download
memory/940-121-0x0000000000000000-mapping.dmp

Download
memory/1316-126-0x0000000000000000-mapping.dmp

Download
memory/1324-166-0x0000000000000000-mapping.dmp

Download
memory/1664-162-0x0000000000000000-mapping.dmp

Download
memory/1788-133-0x0000000000000000-mapping.dmp

Download
memory/1848-157-0x0000000000000000-mapping.dmp

Download
memory/1880-119-0x0000000000000000-mapping.dmp

Download
memory/1964-114-0x0000000000000000-mapping.dmp

Download
memory/1972-134-0x0000000000000000-mapping.dmp

Download
memory/2000-154-0x0000000000000000-mapping.dmp

Download
memory/2072-136-0x0000000000000000-mapping.dmp

Download
memory/2072-115-0x0000000000000000-mapping.dmp

Download
memory/2072-176-0x0000000000000000-mapping.dmp

Download
memory/2120-169-0x0000000000000000-mapping.dmp

Download
memory/2124-127-0x0000000000000000-mapping.dmp

Download
memory/2144-128-0x0000000000000000-mapping.dmp

Download
memory/2164-170-0x0000000000000000-mapping.dmp

Download
memory/2172-171-0x0000000000000000-mapping.dmp

Download
memory/2192-148-0x0000000000000000-mapping.dmp

Download
memory/2236-129-0x0000000000000000-mapping.dmp

Download
memory/2240-149-0x0000000000000000-mapping.dmp

Download
memory/2244-150-0x0000000000000000-mapping.dmp

Download
memory/2296-168-0x0000000000000000-mapping.dmp

Download
memory/2304-122-0x0000000000000000-mapping.dmp

Download
memory/2324-174-0x0000000000000000-mapping.dmp

Download
memory/2324-155-0x0000000000000000-mapping.dmp

Download
memory/2404-164-0x0000000000000000-mapping.dmp

Download
memory/2404-142-0x0000000000000000-mapping.dmp

Download
memory/2512-152-0x0000000000000000-mapping.dmp

Download
memory/2624-160-0x0000000000000000-mapping.dmp

Download
memory/2804-145-0x0000000000000000-mapping.dmp

Download
memory/2816-167-0x0000000000000000-mapping.dmp

Download
memory/2840-117-0x0000000000000000-mapping.dmp

Download
memory/2844-140-0x0000000000000000-mapping.dmp

Download
memory/3060-163-0x0000000000000000-mapping.dmp

Download
memory/3216-177-0x0000000000000000-mapping.dmp

Download
memory/3216-158-0x0000000000000000-mapping.dmp

Download
memory/3248-116-0x0000000000000000-mapping.dmp

Download
memory/3292-137-0x0000000000000000-mapping.dmp

Download
memory/3368-132-0x0000000000000000-mapping.dmp

Download
memory/3396-124-0x0000000000000000-mapping.dmp

Download
memory/3420-153-0x0000000000000000-mapping.dmp

Download
memory/3640-175-0x0000000000000000-mapping.dmp

Download
memory/3648-125-0x0000000000000000-mapping.dmp

Download
memory/3752-165-0x0000000000000000-mapping.dmp

Download
memory/3796-156-0x0000000000000000-mapping.dmp

Download
memory/3916-151-0x0000000000000000-mapping.dmp

Download
memory/3920-172-0x0000000000000000-mapping.dmp

Download
memory/3920-131-0x0000000000000000-mapping.dmp

Download
memory/3956-135-0x0000000000000000-mapping.dmp

Download
memory/3992-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads