28f4f0232383f01a81415e1d5c11d93254759260511f15924e3744be2063dafa

Analysis

max time kernel
49s
max time network
129s
platform
windows10_x64
resource
win10v20210410
submitted
28/05/2021, 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

1.3MB
MD5

0e64acab6fb3d50aaebc17e6dfb2d289
SHA1

c5c672a4a8ebae04cf7471c56136dce58ccd88f0
SHA256

cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f
SHA512

e797d31d7355d1f222a444fa934599582ffd9593185668382b9ad05ade1086d152f342305fb1b734a4cc0f691b2b4ba70fd8f183f77aa3f6f775a470fb4e7013

Score

8^/10

evasion

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	sample.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	sample.exe
File created	C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini	sample.exe
File opened for modification	C:\Program Files\desktop.ini	sample.exe
File created	C:\Program Files\desktop.ini	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-40.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Deal\New-Deal-up.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\es_60x42.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\um_60x42.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.AppTk.SceneGraph.UAP.dll	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Maps.dll	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXP_PDF.DLL	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLMF.DLL	sample.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ar.pak.[[email protected]][MJ-HO9756032481].poker	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms	sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.[[email protected]][MJ-HO9756032481].poker	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\PaintSmallTile.scale-150.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-400.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\IncomingCallBrandingImage.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\mf_60x42.png	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\PREVIEW.GIF	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\SQLite3Wrapper.dll	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-24_contrast-black.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif	sample.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\resources.pri	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square310x150Logo.scale-100.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1850_20x20x32.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\remove.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20.png	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	sample.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.[[email protected]][MJ-HO9756032481].poker	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALA.TTF.[[email protected]][MJ-HO9756032481].poker	sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\Animation\crown_2.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-96.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.[[email protected]][MJ-HO9756032481].poker	sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\GRAY.pf	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\11s.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\rtmpal.dll	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.ResourceResolver.exe	sample.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.[[email protected]][MJ-HO9756032481].poker	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8201_40x40x32.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.png	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\SmallTile.scale-100.png	sample.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Exist.Tests.ps1	sample.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Extreme_Altitude_.png	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected.svg	sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\ui-strings.js	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.FileUtils.Resources.dll	sample.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.[[email protected]][MJ-HO9756032481].poker	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\fishfosl.jpg	sample.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\HLSL\Textured.fx	sample.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.[[email protected]][MJ-HO9756032481].poker	sample.exe
File created	C:\Program Files\7-Zip\7-zip.dll.[[email protected]][MJ-HO9756032481].poker	sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar	sample.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\zh-TW\8:喈Ï̜t.ex	sample.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:咀É˴t.ex	sample.exe
File opened for modification	C:\Documents and Settings\zh-TW\8:厐Ï̈́t.ex	sample.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe
3656	sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3656 wrote to memory of 1748	3656	sample.exe	75
PID 3656 wrote to memory of 1748	3656	sample.exe	75
PID 3656 wrote to memory of 1748	3656	sample.exe	75
PID 1748 wrote to memory of 2204	1748	cmd.exe	77
PID 1748 wrote to memory of 2204	1748	cmd.exe	77
PID 1748 wrote to memory of 2204	1748	cmd.exe	77
PID 2204 wrote to memory of 2388	2204	net.exe	78
PID 2204 wrote to memory of 2388	2204	net.exe	78
PID 2204 wrote to memory of 2388	2204	net.exe	78
PID 3656 wrote to memory of 4052	3656	sample.exe	80
PID 3656 wrote to memory of 4052	3656	sample.exe	80
PID 3656 wrote to memory of 4052	3656	sample.exe	80
PID 3656 wrote to memory of 4012	3656	sample.exe	83
PID 3656 wrote to memory of 4012	3656	sample.exe	83
PID 3656 wrote to memory of 4012	3656	sample.exe	83
PID 3656 wrote to memory of 3124	3656	sample.exe	85
PID 3656 wrote to memory of 3124	3656	sample.exe	85
PID 3656 wrote to memory of 3124	3656	sample.exe	85
PID 3656 wrote to memory of 3028	3656	sample.exe	87
PID 3656 wrote to memory of 3028	3656	sample.exe	87
PID 3656 wrote to memory of 3028	3656	sample.exe	87
PID 3028 wrote to memory of 4076	3028	cmd.exe	89
PID 3028 wrote to memory of 4076	3028	cmd.exe	89
PID 3028 wrote to memory of 4076	3028	cmd.exe	89
PID 4076 wrote to memory of 3348	4076	net.exe	90
PID 4076 wrote to memory of 3348	4076	net.exe	90
PID 4076 wrote to memory of 3348	4076	net.exe	90
PID 3656 wrote to memory of 3152	3656	sample.exe	91
PID 3656 wrote to memory of 3152	3656	sample.exe	91
PID 3656 wrote to memory of 3152	3656	sample.exe	91
PID 3152 wrote to memory of 2108	3152	cmd.exe	93
PID 3152 wrote to memory of 2108	3152	cmd.exe	93
PID 3152 wrote to memory of 2108	3152	cmd.exe	93
PID 2108 wrote to memory of 3728	2108	net.exe	94
PID 2108 wrote to memory of 3728	2108	net.exe	94
PID 2108 wrote to memory of 3728	2108	net.exe	94
PID 3656 wrote to memory of 2208	3656	sample.exe	95
PID 3656 wrote to memory of 2208	3656	sample.exe	95
PID 3656 wrote to memory of 2208	3656	sample.exe	95
PID 2208 wrote to memory of 1468	2208	cmd.exe	97
PID 2208 wrote to memory of 1468	2208	cmd.exe	97
PID 2208 wrote to memory of 1468	2208	cmd.exe	97
PID 1468 wrote to memory of 800	1468	net.exe	98
PID 1468 wrote to memory of 800	1468	net.exe	98
PID 1468 wrote to memory of 800	1468	net.exe	98
PID 3656 wrote to memory of 2364	3656	sample.exe	99
PID 3656 wrote to memory of 2364	3656	sample.exe	99
PID 3656 wrote to memory of 2364	3656	sample.exe	99
PID 2364 wrote to memory of 2388	2364	cmd.exe	101
PID 2364 wrote to memory of 2388	2364	cmd.exe	101
PID 2364 wrote to memory of 2388	2364	cmd.exe	101
PID 3656 wrote to memory of 1908	3656	sample.exe	102
PID 3656 wrote to memory of 1908	3656	sample.exe	102
PID 3656 wrote to memory of 1908	3656	sample.exe	102
PID 1908 wrote to memory of 3480	1908	cmd.exe	104
PID 1908 wrote to memory of 3480	1908	cmd.exe	104
PID 1908 wrote to memory of 3480	1908	cmd.exe	104
PID 3656 wrote to memory of 2676	3656	sample.exe	105
PID 3656 wrote to memory of 2676	3656	sample.exe	105
PID 3656 wrote to memory of 2676	3656	sample.exe	105
PID 2676 wrote to memory of 1224	2676	cmd.exe	107
PID 2676 wrote to memory of 1224	2676	cmd.exe	107
PID 2676 wrote to memory of 1224	2676	cmd.exe	107
PID 1224 wrote to memory of 3812	1224	net.exe	108

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:3124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:3728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:3812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:3736
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:1308
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads