2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21

Resubmissions

04-11-2021 15:34

211104-sz21psghe5 10

29-10-2021 15:29

211029-swzq6saccp 10

29-10-2021 07:07

211029-hxtanshefl 8

Analysis

max time kernel
111s
max time network
114s
platform
windows10_x64
resource
win10-en-20210920
submitted
29-10-2021 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Worker-1.exe
Size

385KB
MD5

7677a593678d9c4552578fab18a27384
SHA1

5c3b0d278df728c67122ac3ab7184c3f9ebfaa4f
SHA256

2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21
SHA512

8bbce3eefabf7e7d900ba3fa0a42ca3be265425c8b5675e27839a1397d1653ae54e3abbd8a6b0b8ff7ab44d130afb1a81d04d57af42dc45e7227d676a335e082

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	32	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 21 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ExportRemove.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\PingUnblock.raw => C:\Users\Admin\Pictures\PingUnblock.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\StepEnable.tif.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\WaitUninstall.tiff	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\WaitUninstall.tiff.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\EditReceive.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\ExportClear.tif => C:\Users\Admin\Pictures\ExportClear.tif.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\PingUnblock.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterRestart.tif.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\WaitUninstall.tiff => C:\Users\Admin\Pictures\WaitUninstall.tiff.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\ConvertDismount.raw => C:\Users\Admin\Pictures\ConvertDismount.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertDismount.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\ExportClear.tif.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\ExportRemove.png => C:\Users\Admin\Pictures\ExportRemove.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\EditReceive.png => C:\Users\Admin\Pictures\EditReceive.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\SetSwitch.crw => C:\Users\Admin\Pictures\SetSwitch.crw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\SetSwitch.crw.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\StepEnable.tif => C:\Users\Admin\Pictures\StepEnable.tif.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\UnregisterRestart.tif => C:\Users\Admin\Pictures\UnregisterRestart.tif.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\DisconnectMerge.png => C:\Users\Admin\Pictures\DisconnectMerge.png.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\DisconnectMerge.png.v4cnyy	Worker-1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Worker-1.exe
File opened (read-only)	\??\Z:	Worker-1.exe
File opened (read-only)	\??\X:	Worker-1.exe
File opened (read-only)	\??\W:	Worker-1.exe
File opened (read-only)	\??\Y:	Worker-1.exe
File opened (read-only)	\??\V:	Worker-1.exe
File opened (read-only)	\??\B:	Worker-1.exe
File opened (read-only)	\??\Q:	Worker-1.exe
File opened (read-only)	\??\F:	Worker-1.exe
File opened (read-only)	\??\O:	Worker-1.exe
File opened (read-only)	\??\P:	Worker-1.exe
File opened (read-only)	\??\A:	Worker-1.exe
File opened (read-only)	\??\S:	Worker-1.exe
File opened (read-only)	\??\G:	Worker-1.exe
File opened (read-only)	\??\K:	Worker-1.exe
File opened (read-only)	\??\R:	Worker-1.exe
File opened (read-only)	\??\I:	Worker-1.exe
File opened (read-only)	\??\N:	Worker-1.exe
File opened (read-only)	\??\M:	Worker-1.exe
File opened (read-only)	\??\H:	Worker-1.exe
File opened (read-only)	\??\J:	Worker-1.exe
File opened (read-only)	\??\L:	Worker-1.exe
File opened (read-only)	\??\E:	Worker-1.exe
File opened (read-only)	\??\T:	Worker-1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	Worker-1.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
3492	taskkill.exe
1676	taskkill.exe
820	taskkill.exe
3852	taskkill.exe
3036	taskkill.exe
2648	taskkill.exe
1520	taskkill.exe
1300	taskkill.exe
776	taskkill.exe
616	taskkill.exe
1312	taskkill.exe
328	taskkill.exe
2732	taskkill.exe
1932	taskkill.exe
1456	taskkill.exe
3848	taskkill.exe
2176	taskkill.exe
3064	taskkill.exe
3764	taskkill.exe
1348	taskkill.exe
1584	taskkill.exe
1400	taskkill.exe
1352	taskkill.exe
2336	taskkill.exe
2648	taskkill.exe
628	taskkill.exe
1764	taskkill.exe
3584	taskkill.exe
3632	taskkill.exe
1916	taskkill.exe
428	taskkill.exe
2336	taskkill.exe
416	taskkill.exe
2320	taskkill.exe
976	taskkill.exe
3720	taskkill.exe
3708	taskkill.exe
2220	taskkill.exe
360	taskkill.exe
1576	taskkill.exe
2404	taskkill.exe
1472	taskkill.exe
2404	taskkill.exe
3040	taskkill.exe
1928	taskkill.exe
2636	taskkill.exe
1084	taskkill.exe
3684	taskkill.exe
668	taskkill.exe
3724	taskkill.exe
1596	taskkill.exe
2184	taskkill.exe
3604	taskkill.exe
2492	taskkill.exe
1992	taskkill.exe
3796	taskkill.exe
1344	taskkill.exe
2036	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3908	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2324	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe
3128	Worker-1.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	Worker-1.exe
Token: SeDebugPrivilege	3128	Worker-1.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	3040	Conhost.exe
Token: SeDebugPrivilege	360	taskkill.exe
Token: SeDebugPrivilege	616	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	3852	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1312	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	3796	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	3684	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	416	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	776	taskkill.exe
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3128	Worker-1.exe
3128	Worker-1.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3128	Worker-1.exe
3128	Worker-1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 820	3128	Worker-1.exe	70
PID 3128 wrote to memory of 820	3128	Worker-1.exe	70
PID 3128 wrote to memory of 820	3128	Worker-1.exe	70
PID 3128 wrote to memory of 3252	3128	Worker-1.exe	72
PID 3128 wrote to memory of 3252	3128	Worker-1.exe	72
PID 3128 wrote to memory of 3252	3128	Worker-1.exe	72
PID 3128 wrote to memory of 3908	3128	Worker-1.exe	74
PID 3128 wrote to memory of 3908	3128	Worker-1.exe	74
PID 3128 wrote to memory of 3908	3128	Worker-1.exe	74
PID 3128 wrote to memory of 2168	3128	Worker-1.exe	76
PID 3128 wrote to memory of 2168	3128	Worker-1.exe	76
PID 3128 wrote to memory of 2168	3128	Worker-1.exe	76
PID 3128 wrote to memory of 1392	3128	Worker-1.exe	78
PID 3128 wrote to memory of 1392	3128	Worker-1.exe	78
PID 3128 wrote to memory of 1392	3128	Worker-1.exe	78
PID 3128 wrote to memory of 436	3128	Worker-1.exe	85
PID 3128 wrote to memory of 436	3128	Worker-1.exe	85
PID 3128 wrote to memory of 436	3128	Worker-1.exe	85
PID 3128 wrote to memory of 1196	3128	Worker-1.exe	84
PID 3128 wrote to memory of 1196	3128	Worker-1.exe	84
PID 3128 wrote to memory of 1196	3128	Worker-1.exe	84
PID 3128 wrote to memory of 2728	3128	Worker-1.exe	81
PID 3128 wrote to memory of 2728	3128	Worker-1.exe	81
PID 3128 wrote to memory of 2728	3128	Worker-1.exe	81
PID 3128 wrote to memory of 1148	3128	Worker-1.exe	86
PID 3128 wrote to memory of 1148	3128	Worker-1.exe	86
PID 3128 wrote to memory of 1148	3128	Worker-1.exe	86
PID 3128 wrote to memory of 2444	3128	Worker-1.exe	87
PID 3128 wrote to memory of 2444	3128	Worker-1.exe	87
PID 3128 wrote to memory of 2444	3128	Worker-1.exe	87
PID 3128 wrote to memory of 1396	3128	Worker-1.exe	88
PID 3128 wrote to memory of 1396	3128	Worker-1.exe	88
PID 3128 wrote to memory of 1396	3128	Worker-1.exe	88
PID 3128 wrote to memory of 1512	3128	Worker-1.exe	92
PID 3128 wrote to memory of 1512	3128	Worker-1.exe	92
PID 3128 wrote to memory of 1512	3128	Worker-1.exe	92
PID 3128 wrote to memory of 912	3128	Worker-1.exe	94
PID 3128 wrote to memory of 912	3128	Worker-1.exe	94
PID 3128 wrote to memory of 912	3128	Worker-1.exe	94
PID 3128 wrote to memory of 2336	3128	Worker-1.exe	96
PID 3128 wrote to memory of 2336	3128	Worker-1.exe	96
PID 3128 wrote to memory of 2336	3128	Worker-1.exe	96
PID 3128 wrote to memory of 1584	3128	Worker-1.exe	99
PID 3128 wrote to memory of 1584	3128	Worker-1.exe	99
PID 3128 wrote to memory of 1584	3128	Worker-1.exe	99
PID 3128 wrote to memory of 2320	3128	Worker-1.exe	97
PID 3128 wrote to memory of 2320	3128	Worker-1.exe	97
PID 3128 wrote to memory of 2320	3128	Worker-1.exe	97
PID 3128 wrote to memory of 2648	3128	Worker-1.exe	102
PID 3128 wrote to memory of 2648	3128	Worker-1.exe	102
PID 3128 wrote to memory of 2648	3128	Worker-1.exe	102
PID 3128 wrote to memory of 3848	3128	Worker-1.exe	104
PID 3128 wrote to memory of 3848	3128	Worker-1.exe	104
PID 3128 wrote to memory of 3848	3128	Worker-1.exe	104
PID 3128 wrote to memory of 2176	3128	Worker-1.exe	106
PID 3128 wrote to memory of 2176	3128	Worker-1.exe	106
PID 3128 wrote to memory of 2176	3128	Worker-1.exe	106
PID 3128 wrote to memory of 3720	3128	Worker-1.exe	108
PID 3128 wrote to memory of 3720	3128	Worker-1.exe	108
PID 3128 wrote to memory of 3720	3128	Worker-1.exe	108
PID 3128 wrote to memory of 3708	3128	Worker-1.exe	109
PID 3128 wrote to memory of 3708	3128	Worker-1.exe	109
PID 3128 wrote to memory of 3708	3128	Worker-1.exe	109
PID 3128 wrote to memory of 2220	3128	Worker-1.exe	112

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	Worker-1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	Worker-1.exe

C:\Users\Admin\AppData\Local\Temp\Worker-1.exe
"C:\Users\Admin\AppData\Local\Temp\Worker-1.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3128
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:3252
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3908
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:2168
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1392
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:2728
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:1196
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:436
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1148
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:2444
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1396
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1512
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:912
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3708
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2220
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1400
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  PID:3040
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:360
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  PID:2404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1472
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1584
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1400
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:416
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:2208
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3584
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1392
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:2840
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\-Инструкция.txt
  2⤵
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:4092
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2324
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Worker-1.exe
  2⤵
  PID:628

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-192-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/1800-206-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1800-191-0x00000000041D2000-0x00000000041D3000-memory.dmp

Filesize
4KB

Download
memory/1800-207-0x00000000041D3000-0x00000000041D4000-memory.dmp

Filesize
4KB

Download
memory/1800-208-0x00000000041D4000-0x00000000041D6000-memory.dmp

Filesize
8KB

Download
memory/1800-184-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1800-186-0x0000000006B60000-0x0000000006B61000-memory.dmp

Filesize
4KB

Download
memory/1800-183-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1800-187-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/1800-185-0x0000000004190000-0x0000000004191000-memory.dmp

Filesize
4KB

Download
memory/1800-193-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1800-188-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/1800-194-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

Filesize
4KB

Download
memory/1800-190-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/1800-195-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/1800-196-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3128-117-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3128-115-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/3128-210-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/3128-209-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/3128-129-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download