surtr | 5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b

Analysis

max time kernel
146s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-10-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
Size

190KB
MD5

5409ee640663b8d1f520af46c1146c0e
SHA1

73eebd0dd94ce3d161a7f191196b8bcc354af55a
SHA256

5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b
SHA512

dbaf6fdb7ae2dcbbce17aa9c1fc1932a054a024c9f32db8f8c810c9023480476a508397ae9a5e231ba27ce85c6d402b0ce5beb63a4b7fcb20702af9d1ec7f82a
SSDEEP

3072:R1WTpHdp+hKaf5fVZ5/u63YbFVOppyis6h83ZHZZfKmJZGexxVAdueB+out:qHr85x/u6IbFVSyiJOpHTfNA6VxeB+oS

Score

10^/10

surtr evasion ransomware upx

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
2308	fsutil.exe

Detects Surtr Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1660-56-0x0000000000400000-0x000000000050B000-memory.dmp	family_surtr
behavioral1/memory/1660-69-0x0000000000400000-0x000000000050B000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2176	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2228	wbadmin.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1660-56-0x0000000000400000-0x000000000050B000-memory.dmp	upx
behavioral1/memory/1660-69-0x0000000000400000-0x000000000050B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 10 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\I:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\H:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\J:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\K:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\L:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\F:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 7 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
552	vssadmin.exe
1300	vssadmin.exe
1576	vssadmin.exe
1304	vssadmin.exe
2276	vssadmin.exe
2268	vssadmin.exe
1872	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1828	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	28
PID 1660 wrote to memory of 1828	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	28
PID 1660 wrote to memory of 1828	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	28
PID 1660 wrote to memory of 1828	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	28
PID 1660 wrote to memory of 2044	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	29
PID 1660 wrote to memory of 2044	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	29
PID 1660 wrote to memory of 2044	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	29
PID 1660 wrote to memory of 2044	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	29
PID 1660 wrote to memory of 1752	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	30
PID 1660 wrote to memory of 1752	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	30
PID 1660 wrote to memory of 1752	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	30
PID 1660 wrote to memory of 1752	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	30
PID 1752 wrote to memory of 1768	1752	cmd.exe	31
PID 1752 wrote to memory of 1768	1752	cmd.exe	31
PID 1752 wrote to memory of 1768	1752	cmd.exe	31
PID 1752 wrote to memory of 1768	1752	cmd.exe	31
PID 1660 wrote to memory of 2012	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	32
PID 1660 wrote to memory of 2012	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	32
PID 1660 wrote to memory of 2012	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	32
PID 1660 wrote to memory of 2012	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	32
PID 1660 wrote to memory of 2032	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	33
PID 1660 wrote to memory of 2032	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	33
PID 1660 wrote to memory of 2032	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	33
PID 1660 wrote to memory of 2032	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	33
PID 1660 wrote to memory of 1208	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	34
PID 1660 wrote to memory of 1208	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	34
PID 1660 wrote to memory of 1208	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	34
PID 1660 wrote to memory of 1208	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	34
PID 1660 wrote to memory of 960	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	36
PID 1660 wrote to memory of 960	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	36
PID 1660 wrote to memory of 960	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	36
PID 1660 wrote to memory of 960	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	36
PID 1660 wrote to memory of 916	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	35
PID 1660 wrote to memory of 916	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	35
PID 1660 wrote to memory of 916	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	35
PID 1660 wrote to memory of 916	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	35
PID 1660 wrote to memory of 588	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	39
PID 1660 wrote to memory of 588	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	39
PID 1660 wrote to memory of 588	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	39
PID 1660 wrote to memory of 588	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	39
PID 1660 wrote to memory of 1736	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	38
PID 1660 wrote to memory of 1736	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	38
PID 1660 wrote to memory of 1736	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	38
PID 1660 wrote to memory of 1736	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	38
PID 1660 wrote to memory of 324	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	37
PID 1660 wrote to memory of 324	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	37
PID 1660 wrote to memory of 324	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	37
PID 1660 wrote to memory of 324	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	37
PID 1660 wrote to memory of 1200	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	40
PID 1660 wrote to memory of 1200	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	40
PID 1660 wrote to memory of 1200	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	40
PID 1660 wrote to memory of 1200	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	40
PID 1660 wrote to memory of 1512	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	46
PID 1660 wrote to memory of 1512	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	46
PID 1660 wrote to memory of 1512	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	46
PID 1660 wrote to memory of 1512	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	46
PID 1660 wrote to memory of 1852	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	52
PID 1660 wrote to memory of 1852	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	52
PID 1660 wrote to memory of 1852	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	52
PID 1660 wrote to memory of 1852	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	52
PID 1660 wrote to memory of 1068	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	51
PID 1660 wrote to memory of 1068	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	51
PID 1660 wrote to memory of 1068	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	51
PID 1660 wrote to memory of 1068	1660	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	51

C:\Users\Admin\AppData\Local\Temp\5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
"C:\Users\Admin\AppData\Local\Temp\5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off
  2⤵
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\chcp.com
    chcp 437
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:2012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  PID:2032
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  PID:1208
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  PID:916
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
  2⤵
  PID:960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
  2⤵
  PID:324
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
  2⤵
  PID:1736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  PID:588
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
  2⤵
  PID:1200
- - C:\Windows\system32\fsutil.exe
    fsutil.exe usn deletejournal /D C:
    3⤵
    - Deletes NTFS Change Journal
    PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  PID:1512
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:772
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
    3⤵
    PID:2236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
  2⤵
  PID:1356
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
  2⤵
  PID:1068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
  2⤵
  PID:1852
- - C:\Windows\system32\wbadmin.exe
    wbadmin.exe delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:332
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:2216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
  2⤵
  PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
  2⤵
  PID:760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:1076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
  2⤵
  PID:748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1968
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:1316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
  2⤵
  PID:1792
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
  2⤵
  PID:396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:320
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:2284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
  2⤵
  PID:1544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
  2⤵
  PID:1120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:1444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:1336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
  2⤵
  PID:1168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
  2⤵
  PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:2152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:2340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
  2⤵
  PID:2352

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1660-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1660-69-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1660-56-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download