balaclava | 05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623

General

Target

05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll
Size

212KB
MD5

25a0c625ef34156e73a69a477e80a6e8
SHA1

2bb975338e4ed4f24aaaa231b161bcb228a2bc3f
SHA256

05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623
SHA512

b5822c9f05240cb41ef69ec0fe3ba38f12389b6507e256b39905749ecd951617904d94b9ea0006c6cfd52e7aec64e93fa85a5a16ff26c06791a0d37e2aad805e

Score

10^/10

balaclava ransomware

Malware Config

Extracted

Path

C:\RECOVERY DATA INFORMATION.TXT

Family

balaclava

Ransom Note

Hello! If you see this message - this means your files are now encrypted and are in a non-working state! Now only we can help you recover. If you are ready to restore the work - send us an email to the address decrypthelp@aol.com In the letter, specify your personal identifier, which you will see below. In the reply letter we will inform you the cost of decrypting your files. Also from your servers files, documents, databases SQL, PDF were uploaded to our cloud storage After we agree, you will receive a decryption program, as well as all your files on our server will be deleted. Otherwise, they will fall into the open access of the Internet! Before payment you can send us 1-2 files for test decryption. We will decrypt the files you requested and send you back. This ensures that we own the key to recover your data. The total file size should be no more than 3 MB, the files should not contain valuable information (databases, backups, large Excel spreadsheets ...). Please be sure that we will find common languge. We will restore all the data. Email to contact us - decrypthelp@aol.com Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. Your personal ID: 131-C08-774

Emails

decrypthelp@aol.com

Signatures

Balaclava Malware
Balaclava malware is a ransomware program.
ransomware balaclava
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
File opened (read-only)	\??\J:	rundll32.exe
File opened (read-only)	\??\B:	rundll32.exe
File opened (read-only)	\??\Y:	rundll32.exe
File opened (read-only)	\??\O:	rundll32.exe
File opened (read-only)	\??\N:	rundll32.exe
File opened (read-only)	\??\M:	rundll32.exe
File opened (read-only)	\??\H:	rundll32.exe
File opened (read-only)	\??\G:	rundll32.exe
File opened (read-only)	\??\Z:	rundll32.exe
File opened (read-only)	\??\V:	rundll32.exe
File opened (read-only)	\??\S:	rundll32.exe
File opened (read-only)	\??\K:	rundll32.exe
File opened (read-only)	\??\L:	rundll32.exe
File opened (read-only)	\??\F:	rundll32.exe
File opened (read-only)	\??\E:	rundll32.exe
File opened (read-only)	\??\W:	rundll32.exe
File opened (read-only)	\??\U:	rundll32.exe
File opened (read-only)	\??\R:	rundll32.exe
File opened (read-only)	\??\Q:	rundll32.exe
File opened (read-only)	\??\A:	rundll32.exe
File opened (read-only)	\??\X:	rundll32.exe
File opened (read-only)	\??\T:	rundll32.exe
File opened (read-only)	\??\P:	rundll32.exe
File opened (read-only)	\??\I:	rundll32.exe

Drops file in Program Files directory 64 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	rundll32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\RECOVERY DATA INFORMATION.TXT	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	rundll32.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\RECOVERY DATA INFORMATION.TXT	rundll32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\RECOVERY DATA INFORMATION.TXT	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\THMBNAIL.PNG	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.131-C08-774	rundll32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\RECOVERY DATA INFORMATION.TXT	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-windows.jar	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.png	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning@2x.png.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\THMBNAIL.PNG	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osm.x-none.msi.16.x-none.vreg.dat	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICI.TTF	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.INF	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-windows.xml.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_zh_CN.jar.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\java.security	rundll32.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\RECOVERY DATA INFORMATION.TXT	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.131-C08-774	rundll32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\RECOVERY DATA INFORMATION.TXT	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.131-C08-774	rundll32.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\RECOVERY DATA INFORMATION.TXT	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\THMBNAIL.PNG	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM.131-C08-774	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar	rundll32.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2948 net.exe
Runs net.exe

pid	process
2948	net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe
Token: SeSecurityPrivilege	2272	WMIC.exe
Token: SeTakeOwnershipPrivilege	2272	WMIC.exe
Token: SeLoadDriverPrivilege	2272	WMIC.exe
Token: SeSystemProfilePrivilege	2272	WMIC.exe
Token: SeSystemtimePrivilege	2272	WMIC.exe
Token: SeProfSingleProcessPrivilege	2272	WMIC.exe
Token: SeIncBasePriorityPrivilege	2272	WMIC.exe
Token: SeCreatePagefilePrivilege	2272	WMIC.exe
Token: SeBackupPrivilege	2272	WMIC.exe
Token: SeRestorePrivilege	2272	WMIC.exe
Token: SeShutdownPrivilege	2272	WMIC.exe
Token: SeDebugPrivilege	2272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2272	WMIC.exe
Token: SeRemoteShutdownPrivilege	2272	WMIC.exe
Token: SeUndockPrivilege	2272	WMIC.exe
Token: SeManageVolumePrivilege	2272	WMIC.exe
Token: 33	2272	WMIC.exe
Token: 34	2272	WMIC.exe
Token: 35	2272	WMIC.exe
Token: 36	2272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: 36	1564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: 36	1564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2272	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3468 wrote to memory of 3536	3468	rundll32.exe	rundll32.exe
PID 3468 wrote to memory of 3536	3468	rundll32.exe	rundll32.exe
PID 3468 wrote to memory of 3536	3468	rundll32.exe	rundll32.exe
PID 3536 wrote to memory of 3504	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3504	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3504	3536	rundll32.exe	cmd.exe
PID 3504 wrote to memory of 1220	3504	cmd.exe	chcp.com
PID 3504 wrote to memory of 1220	3504	cmd.exe	chcp.com
PID 3504 wrote to memory of 1220	3504	cmd.exe	chcp.com
PID 3504 wrote to memory of 2948	3504	cmd.exe	net.exe
PID 3504 wrote to memory of 2948	3504	cmd.exe	net.exe
PID 3504 wrote to memory of 2948	3504	cmd.exe	net.exe
PID 3536 wrote to memory of 3444	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3444	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3444	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3796	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3796	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3796	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 2876	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 2876	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 2876	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3416	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3416	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3416	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3784	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3784	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 3784	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 1584	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 1584	3536	rundll32.exe	cmd.exe
PID 3536 wrote to memory of 1584	3536	rundll32.exe	cmd.exe
PID 3444 wrote to memory of 1564	3444	cmd.exe	WMIC.exe
PID 3444 wrote to memory of 1564	3444	cmd.exe	WMIC.exe
PID 3444 wrote to memory of 1564	3444	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 2272	1584	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 2272	1584	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 2272	1584	cmd.exe	WMIC.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\05a6fca52556551b286603a139394bfb6526c8f5d87929f1ed68908b7a76a623.dll,#1
2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C chcp 1250 && net view
3⤵
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\chcp.com
chcp 1250
4⤵
PID:1220

C:\Windows\SysWOW64\net.exe
net view
4⤵
- Discovers systems in the same network
PID:2948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
78215698f8f9dc7941c9c287642bd02c

SHA1
633cd0a6c76f080cdb6e0c98034b0b5dd7283a47

SHA256
dc94e21e80522b2cee097064c31a7720d70a02d0c55f290d59030fd0c995cac5

SHA512
c0a05f8cc400855c40b8e8eb3e7f027b06553cc592eb2ab6ad0a8c33ed2d196c7eda358977edc3f34ce1fdbff30efe288725eb10ea463e622ee9eb8085e48f7d

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads