nemty | a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07

General

Target

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
Size

207KB
MD5

ae24eb430be3d0598b7510bba484f580
SHA1

9b6a75b930e8ea41578ec0a6d3df2259a6990d1d
SHA256

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07
SHA512

ca5ec7ca780642bc0105a84c7f4eea60b826d36429ecdceb2a9bb27f2ce688909a6953d18bd9884b19a36604a8c170876c6997c743ca3dbe44ecdfd4a142042a

Score

10^/10

nemty ransomware suricata

Malware Config

Signatures

Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
ransomware nemty
suricata: ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\InitializeConvert.tiff	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRegister.tiff	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\SwitchRestart.tif => C:\Users\Admin\Pictures\SwitchRestart.tif.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\TraceStop.raw => C:\Users\Admin\Pictures\TraceStop.raw.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\GetFind.png => C:\Users\Admin\Pictures\GetFind.png.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\GrantFind.png => C:\Users\Admin\Pictures\GrantFind.png.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\RenameTest.raw => C:\Users\Admin\Pictures\RenameTest.raw.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\RepairSearch.crw => C:\Users\Admin\Pictures\RepairSearch.crw.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\SyncOpen.png => C:\Users\Admin\Pictures\SyncOpen.png.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\OutInitialize.crw => C:\Users\Admin\Pictures\OutInitialize.crw.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\InitializeConvert.tiff => C:\Users\Admin\Pictures\InitializeConvert.tiff.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\ReadRegister.tiff => C:\Users\Admin\Pictures\ReadRegister.tiff.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\ResumeSync.crw => C:\Users\Admin\Pictures\ResumeSync.crw.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
File renamed	C:\Users\Admin\Pictures\WatchHide.tif => C:\Users\Admin\Pictures\WatchHide.tif.NEMTY_LTM73P4	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.db-ip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2748 schtasks.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1752 vssadmin.exe
308 vssadmin.exe
2608 vssadmin.exe

flow	ioc
14	api.db-ip.com

pid	process
2748	schtasks.exe

pid	process
1752	vssadmin.exe
308	vssadmin.exe
2608	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
916	taskkill.exe
1968	taskkill.exe
1384	taskkill.exe
2088	taskkill.exe
796	taskkill.exe
984	taskkill.exe
2056	taskkill.exe
1016	taskkill.exe
2096	taskkill.exe
748	taskkill.exe
1524	taskkill.exe
2068	taskkill.exe
2076	taskkill.exe
1668	taskkill.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

pid	process
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

vssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1204	vssvc.exe
Token: SeRestorePrivilege	1204	vssvc.exe
Token: SeAuditPrivilege	1204	vssvc.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	748	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	2076	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe
Token: 35	1616	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1616	WMIC.exe
Token: SeSecurityPrivilege	1616	WMIC.exe
Token: SeTakeOwnershipPrivilege	1616	WMIC.exe
Token: SeLoadDriverPrivilege	1616	WMIC.exe
Token: SeSystemProfilePrivilege	1616	WMIC.exe
Token: SeSystemtimePrivilege	1616	WMIC.exe
Token: SeProfSingleProcessPrivilege	1616	WMIC.exe
Token: SeIncBasePriorityPrivilege	1616	WMIC.exe
Token: SeCreatePagefilePrivilege	1616	WMIC.exe
Token: SeBackupPrivilege	1616	WMIC.exe
Token: SeRestorePrivilege	1616	WMIC.exe
Token: SeShutdownPrivilege	1616	WMIC.exe
Token: SeDebugPrivilege	1616	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1616	WMIC.exe
Token: SeRemoteShutdownPrivilege	1616	WMIC.exe
Token: SeUndockPrivilege	1616	WMIC.exe
Token: SeManageVolumePrivilege	1616	WMIC.exe
Token: 33	1616	WMIC.exe
Token: 34	1616	WMIC.exe
Token: 35	1616	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 1632	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1632	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1632	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1632	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1520	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1520	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1520	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1520	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 1632 wrote to memory of 308	1632	cmd.exe	vssadmin.exe
PID 1632 wrote to memory of 308	1632	cmd.exe	vssadmin.exe
PID 1632 wrote to memory of 308	1632	cmd.exe	vssadmin.exe
PID 1632 wrote to memory of 308	1632	cmd.exe	vssadmin.exe
PID 1520 wrote to memory of 1752	1520	cmd.exe	vssadmin.exe
PID 1520 wrote to memory of 1752	1520	cmd.exe	vssadmin.exe
PID 1520 wrote to memory of 1752	1520	cmd.exe	vssadmin.exe
PID 1520 wrote to memory of 1752	1520	cmd.exe	vssadmin.exe
PID 816 wrote to memory of 1352	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1352	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1352	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1352	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1044	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1044	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1044	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1044	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1376	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1376	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1376	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1376	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 1044 wrote to memory of 748	1044	cmd.exe	taskkill.exe
PID 1044 wrote to memory of 748	1044	cmd.exe	taskkill.exe
PID 1044 wrote to memory of 748	1044	cmd.exe	taskkill.exe
PID 1044 wrote to memory of 748	1044	cmd.exe	taskkill.exe
PID 816 wrote to memory of 1372	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1372	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1372	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1372	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1880	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1880	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1880	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1880	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 1376 wrote to memory of 1668	1376	cmd.exe	taskkill.exe
PID 1376 wrote to memory of 1668	1376	cmd.exe	taskkill.exe
PID 1376 wrote to memory of 1668	1376	cmd.exe	taskkill.exe
PID 1376 wrote to memory of 1668	1376	cmd.exe	taskkill.exe
PID 1372 wrote to memory of 796	1372	cmd.exe	taskkill.exe
PID 1372 wrote to memory of 796	1372	cmd.exe	taskkill.exe
PID 1372 wrote to memory of 796	1372	cmd.exe	taskkill.exe
PID 1372 wrote to memory of 796	1372	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 984	1880	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 984	1880	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 984	1880	cmd.exe	taskkill.exe
PID 1880 wrote to memory of 984	1880	cmd.exe	taskkill.exe
PID 816 wrote to memory of 1012	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1012	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1012	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1012	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1752	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1752	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1752	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 1752	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 996	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 996	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 996	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe
PID 816 wrote to memory of 996	816	a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
"C:\Users\Admin\AppData\Local\Temp\a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe"
1⤵
- Modifies extensions of user files
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
2⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\vssadmin.exe
vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.*
2⤵
PID:1352

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.*
2⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im wordpad.*
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wordpad.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im outlook.*
2⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im outlook.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im thunderbird.*
2⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im thunderbird.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im oracle.*
2⤵
PID:1012

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im oracle.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im excel.*
2⤵
PID:1752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im onenote.*
2⤵
PID:996

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im onenote.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im virtualboxvm.*
2⤵
PID:1572

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im virtualboxvm.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im node.*
2⤵
PID:1396

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im node.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im QBW32.*
2⤵
PID:1588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im QBW32.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im WBGX.*
2⤵
PID:1776

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WBGX.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im Teams.*
2⤵
PID:1644

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Teams.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im Flow.*
2⤵
PID:268

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Flow.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop DbxSvc
2⤵
PID:292

C:\Windows\SysWOW64\net.exe
net stop DbxSvc
3⤵
PID:2104

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop DbxSvc
4⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop OracleXETNSListener
2⤵
PID:1068

C:\Windows\SysWOW64\net.exe
net stop OracleXETNSListener
3⤵
PID:2164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleXETNSListener
4⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop OracleServiceXE
2⤵
PID:2132

C:\Windows\SysWOW64\net.exe
net stop OracleServiceXE
3⤵
PID:2240

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop OracleServiceXE
4⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop AcrSch2Svc
2⤵
PID:2232

C:\Windows\SysWOW64\net.exe
net stop AcrSch2Svc
3⤵
PID:2348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcrSch2Svc
4⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop AcronisAgent
2⤵
PID:2264

C:\Windows\SysWOW64\net.exe
net stop AcronisAgent
3⤵
PID:2372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop AcronisAgent
4⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop Apache2.4
2⤵
PID:2280

C:\Windows\SysWOW64\net.exe
net stop Apache2.4
3⤵
PID:2400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop Apache2.4
4⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop SQLWriter
2⤵
PID:2316

C:\Windows\SysWOW64\net.exe
net stop SQLWriter
3⤵
PID:2436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLWriter
4⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS
2⤵
PID:2356

C:\Windows\SysWOW64\net.exe
net stop MSSQL$SQLEXPRESS
3⤵
PID:2488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
4⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop MSSQLServerADHelper100
2⤵
PID:2388

C:\Windows\SysWOW64\net.exe
net stop MSSQLServerADHelper100
3⤵
PID:2620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
4⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop MongoDB
2⤵
PID:2456

C:\Windows\SysWOW64\net.exe
net stop MongoDB
3⤵
PID:2668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MongoDB
4⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop SQLAgent$SQLEXPRESS
2⤵
PID:2468

C:\Windows\SysWOW64\net.exe
net stop SQLAgent$SQLEXPRESS
3⤵
PID:2672

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS
4⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop SQLBrowser
2⤵
PID:2600

C:\Windows\SysWOW64\net.exe
net stop SQLBrowser
3⤵
PID:2712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
4⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop CobianBackup11
2⤵
PID:2692

C:\Windows\SysWOW64\net.exe
net stop CobianBackup11
3⤵
PID:2832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop CobianBackup11
4⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop cbVSCService11
2⤵
PID:2720

C:\Windows\SysWOW64\net.exe
net stop cbVSCService11
3⤵
PID:2840

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop cbVSCService11
4⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop QBCFMontorService
2⤵
PID:2728

C:\Windows\SysWOW64\net.exe
net stop QBCFMontorService
3⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop QBVSS
2⤵
PID:2768

C:\Windows\SysWOW64\net.exe
net stop QBVSS
3⤵
PID:2996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBVSS
4⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:2792

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:2804

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:2824

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:2452

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
4⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:2848

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:2872

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:2200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
4⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop
2⤵
PID:2912

C:\Windows\SysWOW64\net.exe
net stop
3⤵
PID:2616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
4⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete
2⤵
PID:2180

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2608

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /create /sc onstart /tn "NEMTY_LTM73P4" /tr "C:\Users\Admin\AdobeUpdate.exe"
2⤵
PID:2140

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /sc onstart /tn "NEMTY_LTM73P4" /tr "C:\Users\Admin\AdobeUpdate.exe"
3⤵
- Creates scheduled task(s)
PID:2748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\NEMTY_LTM73P4-DECRYPT.txt"
2⤵
PID:2788

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\NEMTY_LTM73P4-DECRYPT.txt
3⤵
PID:2792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBCFMontorService
1⤵
PID:2380

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
1⤵
PID:2332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
1⤵
PID:2368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop
1⤵
PID:2432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File Deletion

2

T1107

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\NEMTY_LTM73P4-DECRYPT.txt
MD5
87c36b4ecc22c87362a66277c2ad5532

SHA1
4110bef7d90f87d4356c07b2e0829e4ebe545fe6

SHA256
90d26ae395048c54a95b5ef9bf9b14cd49f5148e7a033f1d2d7e2d70901b8a2e

SHA512
a23f2752b3173cfa57cbbfe3efe75637b02465e16c97899df7f752808c9d0f013695db222474d3a1c0b34cde6667614807d0ee5c224cead10ad101513e850f72

Download Submit
memory/268-83-0x0000000000000000-mapping.dmp

Download
memory/292-84-0x0000000000000000-mapping.dmp

Download
memory/308-62-0x0000000000000000-mapping.dmp

Download
memory/748-69-0x0000000000000000-mapping.dmp

Download
memory/796-73-0x0000000000000000-mapping.dmp

Download
memory/816-64-0x0000000000220000-0x0000000000238000-memory.dmp

Filesize
96KB

Download
memory/816-65-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/816-59-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/916-85-0x0000000000000000-mapping.dmp

Download
memory/984-74-0x0000000000000000-mapping.dmp

Download
memory/996-77-0x0000000000000000-mapping.dmp

Download
memory/1012-75-0x0000000000000000-mapping.dmp

Download
memory/1016-90-0x0000000000000000-mapping.dmp

Download
memory/1044-67-0x0000000000000000-mapping.dmp

Download
memory/1068-86-0x0000000000000000-mapping.dmp

Download
memory/1352-66-0x0000000000000000-mapping.dmp

Download
memory/1372-70-0x0000000000000000-mapping.dmp

Download
memory/1376-68-0x0000000000000000-mapping.dmp

Download
memory/1384-98-0x0000000000000000-mapping.dmp

Download
memory/1396-79-0x0000000000000000-mapping.dmp

Download
memory/1520-61-0x0000000000000000-mapping.dmp

Download
memory/1524-88-0x0000000000000000-mapping.dmp

Download
memory/1572-78-0x0000000000000000-mapping.dmp

Download
memory/1588-80-0x0000000000000000-mapping.dmp

Download
memory/1632-60-0x0000000000000000-mapping.dmp

Download
memory/1644-82-0x0000000000000000-mapping.dmp

Download
memory/1668-72-0x0000000000000000-mapping.dmp

Download
memory/1752-76-0x0000000000000000-mapping.dmp

Download
memory/1752-63-0x0000000000000000-mapping.dmp

Download
memory/1776-81-0x0000000000000000-mapping.dmp

Download
memory/1880-71-0x0000000000000000-mapping.dmp

Download
memory/1968-87-0x0000000000000000-mapping.dmp

Download
memory/2056-89-0x0000000000000000-mapping.dmp

Download
memory/2068-97-0x0000000000000000-mapping.dmp

Download
memory/2076-91-0x0000000000000000-mapping.dmp

Download
memory/2088-92-0x0000000000000000-mapping.dmp

Download
memory/2096-96-0x0000000000000000-mapping.dmp

Download
memory/2104-93-0x0000000000000000-mapping.dmp

Download
memory/2132-95-0x0000000000000000-mapping.dmp

Download
memory/2164-94-0x0000000000000000-mapping.dmp

Download
memory/2232-99-0x0000000000000000-mapping.dmp

Download
memory/2240-100-0x0000000000000000-mapping.dmp

Download
memory/2264-101-0x0000000000000000-mapping.dmp

Download
memory/2280-102-0x0000000000000000-mapping.dmp

Download
memory/2316-103-0x0000000000000000-mapping.dmp

Download
memory/2348-105-0x0000000000000000-mapping.dmp

Download
memory/2356-104-0x0000000000000000-mapping.dmp

Download
memory/2372-106-0x0000000000000000-mapping.dmp

Download
memory/2388-107-0x0000000000000000-mapping.dmp

Download
memory/2400-108-0x0000000000000000-mapping.dmp

Download
memory/2436-109-0x0000000000000000-mapping.dmp

Download
memory/2456-110-0x0000000000000000-mapping.dmp

Download
memory/2468-111-0x0000000000000000-mapping.dmp

Download
memory/2488-112-0x0000000000000000-mapping.dmp

Download
memory/2516-113-0x0000000000000000-mapping.dmp

Download
memory/2524-117-0x0000000000000000-mapping.dmp

Download
memory/2532-114-0x0000000000000000-mapping.dmp

Download
memory/2544-115-0x0000000000000000-mapping.dmp

Download
memory/2552-120-0x0000000000000000-mapping.dmp

Download
memory/2568-125-0x0000000000000000-mapping.dmp

Download
memory/2588-118-0x0000000000000000-mapping.dmp

Download
memory/2600-116-0x0000000000000000-mapping.dmp

Download
memory/2620-119-0x0000000000000000-mapping.dmp

Download
memory/2652-124-0x0000000000000000-mapping.dmp

Download
memory/2668-121-0x0000000000000000-mapping.dmp

Download
memory/2672-122-0x0000000000000000-mapping.dmp

Download
memory/2692-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads