a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154

General

Target

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Size

62KB
MD5

131a20e9f579bc9f7dd9832b4c5f25bd
SHA1

83979db718962e3a0b45e5f70320fe5b4f009b7c
SHA256

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154
SHA512

92e83892f635efb13d6f268ccab884b2079451a82a1e53a8482c632e126b14d3453c5ab17463d55b4cd2341d6b44034eb523867258932a9cd47deba435494f1c

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

780 sc.exe
2576 sc.exe
3228 sc.exe
2284 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
780	sc.exe
2576	sc.exe
3228	sc.exe
2284	sc.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
3784	vssadmin.exe
2316	vssadmin.exe
1572	vssadmin.exe
2204	vssadmin.exe
2304	vssadmin.exe
2728	vssadmin.exe
1836	vssadmin.exe
4312	vssadmin.exe
2532	vssadmin.exe
4060	vssadmin.exe
3660	vssadmin.exe
4296	vssadmin.exe
3256	vssadmin.exe
692	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1228 taskkill.exe
204 taskkill.exe
4004 taskkill.exe
Runs net.exe

pid	process
1228	taskkill.exe
204	taskkill.exe
4004	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe

pid	process
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	204	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeBackupPrivilege	4076	vssvc.exe
Token: SeRestorePrivilege	4076	vssvc.exe
Token: SeAuditPrivilege	4076	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3892 wrote to memory of 4836	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 3892 wrote to memory of 4836	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 4836 wrote to memory of 4484	4836	net.exe	net1.exe
PID 4836 wrote to memory of 4484	4836	net.exe	net1.exe
PID 3892 wrote to memory of 3880	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 3892 wrote to memory of 3880	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 3880 wrote to memory of 3520	3880	net.exe	net1.exe
PID 3880 wrote to memory of 3520	3880	net.exe	net1.exe
PID 3892 wrote to memory of 4576	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 3892 wrote to memory of 4576	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 4576 wrote to memory of 4476	4576	net.exe	net1.exe
PID 4576 wrote to memory of 4476	4576	net.exe	net1.exe
PID 3892 wrote to memory of 4548	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 3892 wrote to memory of 4548	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 4548 wrote to memory of 3260	4548	net.exe	net1.exe
PID 4548 wrote to memory of 3260	4548	net.exe	net1.exe
PID 3892 wrote to memory of 3516	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 3892 wrote to memory of 3516	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	net.exe
PID 3516 wrote to memory of 1508	3516	net.exe	net1.exe
PID 3516 wrote to memory of 1508	3516	net.exe	net1.exe
PID 3892 wrote to memory of 3228	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 3892 wrote to memory of 3228	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 3892 wrote to memory of 2284	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 3892 wrote to memory of 2284	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 3892 wrote to memory of 780	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 3892 wrote to memory of 780	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 3892 wrote to memory of 2576	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 3892 wrote to memory of 2576	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	sc.exe
PID 3892 wrote to memory of 1228	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 3892 wrote to memory of 1228	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 3892 wrote to memory of 204	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 3892 wrote to memory of 204	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 3892 wrote to memory of 4004	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 3892 wrote to memory of 4004	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	taskkill.exe
PID 3892 wrote to memory of 3784	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 3784	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2304	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2304	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2316	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2316	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2728	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2728	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 4060	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 4060	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 4312	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 4312	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 3660	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 3660	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 4296	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 4296	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2532	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2532	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 1572	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 1572	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 3256	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 3256	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 1836	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 1836	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2204	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 2204	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 692	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 692	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	vssadmin.exe
PID 3892 wrote to memory of 3120	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	arp.exe
PID 3892 wrote to memory of 3120	3892	a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe	arp.exe

C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe
"C:\Users\Admin\AppData\Local\Temp\a8117abc27d70f18eaec3b6569e105edb2604c81b6e33dc81719e3e6247f5154.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\SYSTEM32\net.exe
"net.exe" stop avpsus /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
3⤵
PID:4484

C:\Windows\SYSTEM32\net.exe
"net.exe" stop McAfeeDLPAgentService /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
3⤵
PID:3520

C:\Windows\SYSTEM32\net.exe
"net.exe" stop mfewc /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
3⤵
PID:4476

C:\Windows\SYSTEM32\net.exe
"net.exe" stop BMR Boot Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:3260

C:\Windows\SYSTEM32\net.exe
"net.exe" stop NetBackup BMR MTFTP Service /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:1508

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
- Launches sc.exe
PID:3228

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
- Launches sc.exe
PID:2284

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
- Launches sc.exe
PID:780

C:\Windows\SYSTEM32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
- Launches sc.exe
PID:2576

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\SYSTEM32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3784

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
- Interacts with shadow copies
PID:2304

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
- Interacts with shadow copies
PID:2316

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2728

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4060

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4312

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3660

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4296

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2532

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1572

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3256

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1836

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2204

C:\Windows\SYSTEM32\vssadmin.exe
"vssadmin.exe" Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:692

C:\Windows\SYSTEM32\arp.exe
"arp" -a
2⤵
PID:3120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/204-147-0x0000000000000000-mapping.dmp

Download
memory/692-162-0x0000000000000000-mapping.dmp

Download
memory/780-144-0x0000000000000000-mapping.dmp

Download
memory/1228-146-0x0000000000000000-mapping.dmp

Download
memory/1508-141-0x0000000000000000-mapping.dmp

Download
memory/1572-158-0x0000000000000000-mapping.dmp

Download
memory/1836-160-0x0000000000000000-mapping.dmp

Download
memory/2204-161-0x0000000000000000-mapping.dmp

Download
memory/2284-143-0x0000000000000000-mapping.dmp

Download
memory/2304-150-0x0000000000000000-mapping.dmp

Download
memory/2316-151-0x0000000000000000-mapping.dmp

Download
memory/2532-157-0x0000000000000000-mapping.dmp

Download
memory/2576-145-0x0000000000000000-mapping.dmp

Download
memory/2728-152-0x0000000000000000-mapping.dmp

Download
memory/3120-163-0x0000000000000000-mapping.dmp

Download
memory/3228-142-0x0000000000000000-mapping.dmp

Download
memory/3256-159-0x0000000000000000-mapping.dmp

Download
memory/3260-139-0x0000000000000000-mapping.dmp

Download
memory/3516-140-0x0000000000000000-mapping.dmp

Download
memory/3520-135-0x0000000000000000-mapping.dmp

Download
memory/3660-155-0x0000000000000000-mapping.dmp

Download
memory/3784-149-0x0000000000000000-mapping.dmp

Download
memory/3880-134-0x0000000000000000-mapping.dmp

Download
memory/3892-133-0x00007FFAE0AF0000-0x00007FFAE15B1000-memory.dmp

Filesize
10.8MB

Download
memory/3892-164-0x00007FFAE0AF0000-0x00007FFAE15B1000-memory.dmp

Filesize
10.8MB

Download
memory/3892-130-0x0000000000C30000-0x0000000000C46000-memory.dmp

Filesize
88KB

Download
memory/4004-148-0x0000000000000000-mapping.dmp

Download
memory/4060-153-0x0000000000000000-mapping.dmp

Download
memory/4296-156-0x0000000000000000-mapping.dmp

Download
memory/4312-154-0x0000000000000000-mapping.dmp

Download
memory/4476-137-0x0000000000000000-mapping.dmp

Download
memory/4484-132-0x0000000000000000-mapping.dmp

Download
memory/4548-138-0x0000000000000000-mapping.dmp

Download
memory/4576-136-0x0000000000000000-mapping.dmp

Download
memory/4836-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads