4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf

Resubmissions

25/03/2022, 06:59

220325-hsddnafgel 10

08/03/2022, 23:12

220308-263p9abfb4 8

Analysis

max time kernel
321s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
25/03/2022, 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Taleb.Ransom.exe
Size

10.8MB
MD5

ac09b7550eda13e03a55448fd8367e2d
SHA1

8266a12669a4a3952cb9af86e75ed74c27c71013
SHA256

4b78968928cfa5437ffdd56a39a5ea8c10a7b6dc5d3f342d003260088876b3cf
SHA512

44cace3038bd96fa36a9d3b16251573f625f5e7cb53f0233d87f6e8ab564e731bd8719088feec44f47a460c0a096b964c2c0e77f3f1c371b773e66407aef5d29

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\Decryption-Guide.txt

Ransom Note

Your Files Are Has Been Locked Your Files Has Been Encrypted with cryptography Algorithm If You Need Your Files And They are Important to You, Dont be shy Send Me an Email Send Test File + The Key File on Your System (File Exist in C:/ProgramData example : RSAKEY-SE-24r6t523 pr RSAKEY.KEY) to Make Sure Your Files Can be Restored Make an Agreement on Price with me and Pay Get Decryption Tool + RSA Key AND Instruction For Decryption Process Attention: 1- Do Not Rename or Modify The Files (You May loose That file) 2- Do Not Try To Use 3rd Party Apps or Recovery Tools ( if You want to do that make an copy from Files and try on them and Waste Your time ) 3-Do not Reinstall Operation System(Windows) You may loose the key File and Loose Your Files 4-Do Not Always Trust to Middle mans and negotiators (some of them are good but some of them agree on 4000usd for example and Asked 10000usd From Client) this Was happened Your Case ID :MJ-DT1743028965 OUR Email :[email protected]

Emails

[email protected]

Signatures

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2403053463-4052593947-3703345493-1000\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files\desktop.ini	Taleb.Ransom.exe
File created	C:\$Recycle.Bin\S-1-5-21-2403053463-4052593947-3703345493-1000\desktop.ini	Taleb.Ransom.exe
File created	C:\Program Files\desktop.ini	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Taleb.Ransom.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	api.my-ip.io
71	api.my-ip.io

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_HK.properties	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll	Taleb.Ransom.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\TextIntelligence.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\gstreamer-lite.dll.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansDemiBold.ttf	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Slice.thmx.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\lcms.dll.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiItalic.ttf.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\PREVIEW.GIF	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\orb.idl	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\RECOVR32.CNV	Taleb.Ransom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sr.pak.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\sawindbg.dll.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\id.pak	Taleb.Ransom.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcp120.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Document.XmlSerializers.dll	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll	Taleb.Ransom.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.(MJ-DT1743028965)([email protected]).Godox	Taleb.Ransom.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml	Taleb.Ransom.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\S-1-5-21-2403053463-4052593947-3703345493-1000\̀sk8:䰐ÎȀ	Taleb.Ransom.exe
File opened for modification	C:\Documents and Settings\S-1-5-21-2403053463-4052593947-3703345493-1000\̀sk8:䬸ÎȀ	Taleb.Ransom.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe
3528	Taleb.Ransom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4224	3528	Taleb.Ransom.exe	84
PID 3528 wrote to memory of 4224	3528	Taleb.Ransom.exe	84
PID 3528 wrote to memory of 4224	3528	Taleb.Ransom.exe	84
PID 4224 wrote to memory of 620	4224	cmd.exe	87
PID 4224 wrote to memory of 620	4224	cmd.exe	87
PID 4224 wrote to memory of 620	4224	cmd.exe	87
PID 620 wrote to memory of 1248	620	net.exe	89
PID 620 wrote to memory of 1248	620	net.exe	89
PID 620 wrote to memory of 1248	620	net.exe	89
PID 3528 wrote to memory of 3288	3528	Taleb.Ransom.exe	94
PID 3528 wrote to memory of 3288	3528	Taleb.Ransom.exe	94
PID 3528 wrote to memory of 3288	3528	Taleb.Ransom.exe	94
PID 3528 wrote to memory of 2264	3528	Taleb.Ransom.exe	96
PID 3528 wrote to memory of 2264	3528	Taleb.Ransom.exe	96
PID 3528 wrote to memory of 2264	3528	Taleb.Ransom.exe	96
PID 3528 wrote to memory of 4592	3528	Taleb.Ransom.exe	98
PID 3528 wrote to memory of 4592	3528	Taleb.Ransom.exe	98
PID 3528 wrote to memory of 4592	3528	Taleb.Ransom.exe	98
PID 3528 wrote to memory of 2340	3528	Taleb.Ransom.exe	100
PID 3528 wrote to memory of 2340	3528	Taleb.Ransom.exe	100
PID 3528 wrote to memory of 2340	3528	Taleb.Ransom.exe	100
PID 2340 wrote to memory of 3868	2340	cmd.exe	102
PID 2340 wrote to memory of 3868	2340	cmd.exe	102
PID 2340 wrote to memory of 3868	2340	cmd.exe	102
PID 3868 wrote to memory of 912	3868	net.exe	103
PID 3868 wrote to memory of 912	3868	net.exe	103
PID 3868 wrote to memory of 912	3868	net.exe	103
PID 3528 wrote to memory of 4804	3528	Taleb.Ransom.exe	104
PID 3528 wrote to memory of 4804	3528	Taleb.Ransom.exe	104
PID 3528 wrote to memory of 4804	3528	Taleb.Ransom.exe	104
PID 4804 wrote to memory of 1444	4804	cmd.exe	106
PID 4804 wrote to memory of 1444	4804	cmd.exe	106
PID 4804 wrote to memory of 1444	4804	cmd.exe	106
PID 1444 wrote to memory of 1856	1444	net.exe	107
PID 1444 wrote to memory of 1856	1444	net.exe	107
PID 1444 wrote to memory of 1856	1444	net.exe	107
PID 3528 wrote to memory of 2268	3528	Taleb.Ransom.exe	108
PID 3528 wrote to memory of 2268	3528	Taleb.Ransom.exe	108
PID 3528 wrote to memory of 2268	3528	Taleb.Ransom.exe	108
PID 2268 wrote to memory of 5112	2268	cmd.exe	110
PID 2268 wrote to memory of 5112	2268	cmd.exe	110
PID 2268 wrote to memory of 5112	2268	cmd.exe	110
PID 5112 wrote to memory of 1004	5112	net.exe	111
PID 5112 wrote to memory of 1004	5112	net.exe	111
PID 5112 wrote to memory of 1004	5112	net.exe	111
PID 3528 wrote to memory of 4672	3528	Taleb.Ransom.exe	112
PID 3528 wrote to memory of 4672	3528	Taleb.Ransom.exe	112
PID 3528 wrote to memory of 4672	3528	Taleb.Ransom.exe	112
PID 4672 wrote to memory of 1740	4672	cmd.exe	114
PID 4672 wrote to memory of 1740	4672	cmd.exe	114
PID 4672 wrote to memory of 1740	4672	cmd.exe	114
PID 3528 wrote to memory of 3892	3528	Taleb.Ransom.exe	126
PID 3528 wrote to memory of 3892	3528	Taleb.Ransom.exe	126
PID 3528 wrote to memory of 3892	3528	Taleb.Ransom.exe	126
PID 3892 wrote to memory of 4556	3892	cmd.exe	128
PID 3892 wrote to memory of 4556	3892	cmd.exe	128
PID 3892 wrote to memory of 4556	3892	cmd.exe	128
PID 3528 wrote to memory of 3736	3528	Taleb.Ransom.exe	129
PID 3528 wrote to memory of 3736	3528	Taleb.Ransom.exe	129
PID 3528 wrote to memory of 3736	3528	Taleb.Ransom.exe	129
PID 3736 wrote to memory of 1856	3736	cmd.exe	132
PID 3736 wrote to memory of 1856	3736	cmd.exe	132
PID 3736 wrote to memory of 1856	3736	cmd.exe	132
PID 1856 wrote to memory of 688	1856	net.exe	133

C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe
"C:\Users\Admin\AppData\Local\Temp\Taleb.Ransom.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSDTC
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\net.exe
    net stop MSDTC
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSDTC
      4⤵
      PID:1248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:3288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
  2⤵
  PID:4592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\net.exe
    net stop SQLSERVERAGENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLSERVERAGENT
      4⤵
      PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:1856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop vds
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\net.exe
    net stop vds
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop vds
      4⤵
      PID:1004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLWriter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1316
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:4944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
  2⤵
  PID:416
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLSERVER
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLSERVER
      4⤵
      PID:60
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$CONTOSO1
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$CONTOSO1
      4⤵
      PID:4068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads