eb5666adbcd60ab11747e32a63a98c0ff4b3949fdac0f6fb7f2b86246e34b51d

General

Target

64new_cip.exe
Size

309KB
MD5

fb13a3efdbb801aef77603f6aaea272e
SHA1

62f526f82da55e5e3bc835d0e3b770b236d5e99d
SHA256

eb5666adbcd60ab11747e32a63a98c0ff4b3949fdac0f6fb7f2b86246e34b51d
SHA512

3baaf4bf823895f6916519dd571f984b79dd6756b9b9944ab02b4f19bbac466a6417ce1d6525d29acb1b92788bf15134146ae495d654828c52774233d8a2b0d3
SSDEEP

6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l09K2yaw7c:v+vV9CZMuUxhC6SjZfjeu++3GK7aw7c

Score

10^/10

ransomware

Malware Config

Extracted

Path

\??\A:\!-Recovery_Instructions-!.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for pricing and decryption software.</p> <p> Contact us by email:<p> <h2>Mikesupp77@outlook.com</h2> </p>If you do not receive a response within 24 hours, please contact us at our additional contacts:</p> <p> 1) Download for TOX CHAT https://tox.chat/download.html</p> <p> 2) Open chat<p> <p>Add ID Chat: </p><h2>3C9D49B928FDC3C15F0314217623A71B865909B308576B4B0D10AEA62C98677B4A3F160D5C93</h2> <p>If we did not answer you, leave the chat enabled, the operator will contact you!<p> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> Your ID: TcMkKMuQyesktFTnpEAoN2qb8JNsvHKsR+yHpxbp2XgpXkG50Q6418Z4pW9ew1n7CZMYxua5Aips5a9Pm0HZdpc875DF/J9cPwkiETaSeOhesM5VnQ5wxh7NvtIkHPWKwMotR+Kn4T+ooKgoL08H1XwdeBThBYvaLYOCiPRtyQ8Fo73mV0H5OrHK/z0RqefcntrpW0i9pBzf5WBdKonJ3322A6IZFirQIuUM0FRPAyGuMePRDYqeEpelXiwCWOjeL9pc5PekHDwHCUBqLbtvge+KOBZvKHMabisCevQ8w/pIfwdN1DITRJf6a9tX/e2oJ/ZjVg47SPqMxyVVdNOAYvwQ3P/V9VJSEo/XLvdHLNPABTTE8+k56pCxlTbUMGJYR4mn/Vi+rHHZrFbu6Mo+Zzt/ULPtHYV5A1ZSPJ/3obkMgAjeJU+2zXcrfjQF5li0/JjCyadwp5X2SdRfIiTTMx3zRbCRBiSd5g6G6YJk+AgriBhiaOxYtFtDPQuNHlArEJbqfvL9NYvrxRTv/CaNL3e4TyUiaCFGywQjKBw5cYCYpomKCHrHHP1Seq/iE75satQxPN/gBDjt4J1TGRFc50fhXNqyGzguAg8hwP2ZOsdUDAJQLTIxryuVmsCC6Fzy+tf/AfUxronG/GrKvh5WzDwH5jCf9UkUoCAo/d5x7GT4XlWD3pSjQbwUardSIUcXiP3ZO3dmc8q+TMpOtS3oTmPY8UTydPeB7BnZA1scv3lRSyy2+eMiFgTBG6mkKLdCHFo1/A7OZvn0qWMEzOHfov9WSdA3WYzJOPG4OaS4hRqKqyJ9ppIeLyoKo+gLckS0fA5qSrYlY9bRnPiaK3DLXd4vDfeJwOxFnoIBGKPk8OhTYjYB0HjrWvJq8xxI0Yf4PKqDVflb4wQDCMZ4yiL8gWq41UYGSgmkXg822LaeUj5mXUCXBqLHDumz2T1vTQ5u5iL2kxiUq7fpnOYZyVoCQ6iVDJ5KNPWSPy7z0LO9rdbYxSTn+azDSQPlU2qE0ugzghsCY9DPpmYDX+tD1DU9MS0hRGPVdQA9ylvGpu5v/7ZKIPzEWHEjcKVGDePpfNDP5datxDxGPd+v5Dq0tcNx+1RL3lKhydOnLE7fsVQW64OWx+M5FPzx8KOpGLAbKrTxqsffV8Epfx0Yu6EiacUVXkoVsIC3hJfO6gczCRRstIgeWjGo4TQiT73kIsH2Rad/3pWS7sTWE4DFJbzIYkUwuC+au8WwWdkDWTlq2lbwNjWlIyGSwUCP9BVWi0ftdHWt4oG9Z2Sj5TNG6gWWrq85r9hzeL0zo32gxU5IdLmhYXaDbZOeV44BupNovbOnEsNMvcuULi31tKN+/NA9b6jB5J2KqO6OB5iNZfi/EjEfPyj3irBL7aF/gmNIM5fGXbnApV64kr7baGZPJYTzZW9hDNUuoZFrZsUgXuAbyPoV6pMaOeGLXw2rxa10gtPTTLYDDdR5+KGZ5oIfnEC8vHDaARsw6bhjVCxu/iX62cCtQX//BQMOPt7E1WW3gLuc7X9NmxWgn9FWXNzIabVblqk0iGo3m5p33Oq778+8vEXGzkLPvhC3r9QpfWg6eqZA+SG5/C0xw+0DG5453ZA+61t2Wh1N5aX/o2oVGnVNnmt+Mo8NK/UB98XX41T6TPgA9VIsaxjL8xsgbb+t7fuV5OHa3FWsNGuNL90qu9syfrHBLOg=

Emails

<h2>Mikesupp77@outlook.com</h2>

URLs

https://tox.chat/download.html</p>

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

64new_cip.exe

description pid process target process

PID 560 created 1212 560 64new_cip.exe Explorer.EXE

description	pid	process	target process
PID 560 created 1212	560	64new_cip.exe	Explorer.EXE

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

64new_cip.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MergeRepair.tiff => C:\Users\Admin\Pictures\MergeRepair.tiff.cipher	64new_cip.exe
File renamed	C:\Users\Admin\Pictures\RedoJoin.png => C:\Users\Admin\Pictures\RedoJoin.png.cipher	64new_cip.exe
File opened for modification	C:\Users\Admin\Pictures\TraceUnpublish.tiff	64new_cip.exe
File renamed	C:\Users\Admin\Pictures\TraceUnpublish.tiff => C:\Users\Admin\Pictures\TraceUnpublish.tiff.cipher	64new_cip.exe
File renamed	C:\Users\Admin\Pictures\CompareGroup.raw => C:\Users\Admin\Pictures\CompareGroup.raw.cipher	64new_cip.exe
File opened for modification	C:\Users\Admin\Pictures\MergeRepair.tiff	64new_cip.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

64new_cip.exe

description	ioc	process
File opened (read-only)	\??\A:	64new_cip.exe
File opened (read-only)	\??\G:	64new_cip.exe
File opened (read-only)	\??\U:	64new_cip.exe
File opened (read-only)	\??\Z:	64new_cip.exe
File opened (read-only)	\??\B:	64new_cip.exe
File opened (read-only)	\??\K:	64new_cip.exe
File opened (read-only)	\??\L:	64new_cip.exe
File opened (read-only)	\??\P:	64new_cip.exe
File opened (read-only)	\??\V:	64new_cip.exe
File opened (read-only)	\??\H:	64new_cip.exe
File opened (read-only)	\??\N:	64new_cip.exe
File opened (read-only)	\??\O:	64new_cip.exe
File opened (read-only)	\??\R:	64new_cip.exe
File opened (read-only)	\??\S:	64new_cip.exe
File opened (read-only)	\??\W:	64new_cip.exe
File opened (read-only)	\??\E:	64new_cip.exe
File opened (read-only)	\??\F:	64new_cip.exe
File opened (read-only)	\??\I:	64new_cip.exe
File opened (read-only)	\??\J:	64new_cip.exe
File opened (read-only)	\??\M:	64new_cip.exe
File opened (read-only)	\??\Q:	64new_cip.exe
File opened (read-only)	\??\T:	64new_cip.exe
File opened (read-only)	\??\X:	64new_cip.exe
File opened (read-only)	\??\Y:	64new_cip.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

976 1212 WerFault.exe Explorer.EXE

pid	pid_target	process	target process
976	1212	WerFault.exe	Explorer.EXE

Kills process with taskkill 16 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1028	taskkill.exe
1692	taskkill.exe
604	taskkill.exe
1008	taskkill.exe
820	taskkill.exe
1244	taskkill.exe
1648	taskkill.exe
868	taskkill.exe
900	taskkill.exe
1436	taskkill.exe
240	taskkill.exe
1372	taskkill.exe
1496	taskkill.exe
1000	taskkill.exe
1020	taskkill.exe
1324	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

64new_cip.exe

pid	process
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe
560	64new_cip.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1372	taskkill.exe
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	1436	taskkill.exe
Token: SeDebugPrivilege	240	taskkill.exe
Token: SeDebugPrivilege	900	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

64new_cip.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 560 wrote to memory of 1920	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 1920	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 1920	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 1920	560	64new_cip.exe	cmd.exe
PID 1920 wrote to memory of 868	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 868	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 868	1920	cmd.exe	cmd.exe
PID 1920 wrote to memory of 868	1920	cmd.exe	cmd.exe
PID 560 wrote to memory of 532	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 532	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 532	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 532	560	64new_cip.exe	cmd.exe
PID 532 wrote to memory of 820	532	cmd.exe	cmd.exe
PID 532 wrote to memory of 820	532	cmd.exe	cmd.exe
PID 532 wrote to memory of 820	532	cmd.exe	cmd.exe
PID 532 wrote to memory of 820	532	cmd.exe	cmd.exe
PID 820 wrote to memory of 1372	820	cmd.exe	taskkill.exe
PID 820 wrote to memory of 1372	820	cmd.exe	taskkill.exe
PID 820 wrote to memory of 1372	820	cmd.exe	taskkill.exe
PID 560 wrote to memory of 432	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 432	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 432	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 432	560	64new_cip.exe	cmd.exe
PID 432 wrote to memory of 1144	432	cmd.exe	cmd.exe
PID 432 wrote to memory of 1144	432	cmd.exe	cmd.exe
PID 432 wrote to memory of 1144	432	cmd.exe	cmd.exe
PID 432 wrote to memory of 1144	432	cmd.exe	cmd.exe
PID 1144 wrote to memory of 1008	1144	cmd.exe	taskkill.exe
PID 1144 wrote to memory of 1008	1144	cmd.exe	taskkill.exe
PID 1144 wrote to memory of 1008	1144	cmd.exe	taskkill.exe
PID 560 wrote to memory of 1740	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 1740	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 1740	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 1740	560	64new_cip.exe	cmd.exe
PID 1740 wrote to memory of 872	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 872	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 872	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 872	1740	cmd.exe	cmd.exe
PID 872 wrote to memory of 1020	872	cmd.exe	taskkill.exe
PID 872 wrote to memory of 1020	872	cmd.exe	taskkill.exe
PID 872 wrote to memory of 1020	872	cmd.exe	taskkill.exe
PID 560 wrote to memory of 508	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 508	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 508	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 508	560	64new_cip.exe	cmd.exe
PID 508 wrote to memory of 1064	508	cmd.exe	cmd.exe
PID 508 wrote to memory of 1064	508	cmd.exe	cmd.exe
PID 508 wrote to memory of 1064	508	cmd.exe	cmd.exe
PID 508 wrote to memory of 1064	508	cmd.exe	cmd.exe
PID 1064 wrote to memory of 1496	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 1496	1064	cmd.exe	taskkill.exe
PID 1064 wrote to memory of 1496	1064	cmd.exe	taskkill.exe
PID 560 wrote to memory of 976	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 976	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 976	560	64new_cip.exe	cmd.exe
PID 560 wrote to memory of 976	560	64new_cip.exe	cmd.exe
PID 976 wrote to memory of 1696	976	cmd.exe	cmd.exe
PID 976 wrote to memory of 1696	976	cmd.exe	cmd.exe
PID 976 wrote to memory of 1696	976	cmd.exe	cmd.exe
PID 976 wrote to memory of 1696	976	cmd.exe	cmd.exe
PID 1696 wrote to memory of 1324	1696	cmd.exe	taskkill.exe
PID 1696 wrote to memory of 1324	1696	cmd.exe	taskkill.exe
PID 1696 wrote to memory of 1324	1696	cmd.exe	taskkill.exe
PID 560 wrote to memory of 2004	560	64new_cip.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

64new_cip.exe64new_cip.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\64new_cip.exe
"C:\Users\Admin\AppData\Local\Temp\64new_cip.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
3⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
4⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlwriter.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
3⤵
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
4⤵
PID:2012

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
PID:688

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
3⤵
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
4⤵
PID:1364

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
3⤵
PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
4⤵
PID:1988

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
3⤵
PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
4⤵
PID:1996

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
PID:2000

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
PID:616

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
4⤵
PID:1320

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
3⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
4⤵
PID:760

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
3⤵
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
4⤵
PID:1768

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
3⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
4⤵
PID:532

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe
3⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe
4⤵
PID:824

C:\Windows\system32\taskkill.exe
taskkill -f -im postgres.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
3⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
4⤵
PID:1020

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
5⤵
PID:328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
6⤵
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
3⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
4⤵
PID:508

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
5⤵
PID:1544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
6⤵
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
3⤵
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
4⤵
PID:976

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
5⤵
PID:1720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
6⤵
PID:240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
3⤵
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
4⤵
PID:1000

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
5⤵
PID:1584

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
6⤵
PID:1592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
3⤵
PID:1596

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
4⤵
PID:1704

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
5⤵
PID:868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
6⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
3⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
4⤵
PID:1264

C:\Windows\system32\net.exe
net stop SQLBrowser
5⤵
PID:640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
6⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS
3⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS
4⤵
PID:532

C:\Windows\system32\net.exe
net stop ReportServer$ISARS
5⤵
PID:1244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
6⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
3⤵
PID:1372

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
4⤵
PID:1156

C:\Windows\system32\net.exe
net stop SQLWriter
5⤵
PID:1028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
6⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\64new_cip.exe
\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip.exe -network
2⤵
- System policy modification
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:924

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1212 -s 1536
2⤵
- Program crash
PID:976

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-92-0x0000000000000000-mapping.dmp

Download
memory/240-116-0x0000000000000000-mapping.dmp

Download
memory/328-107-0x0000000000000000-mapping.dmp

Download
memory/432-60-0x0000000000000000-mapping.dmp

Download
memory/508-110-0x0000000000000000-mapping.dmp

Download
memory/508-66-0x0000000000000000-mapping.dmp

Download
memory/532-100-0x0000000000000000-mapping.dmp

Download
memory/532-57-0x0000000000000000-mapping.dmp

Download
memory/560-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/604-98-0x0000000000000000-mapping.dmp

Download
memory/616-90-0x0000000000000000-mapping.dmp

Download
memory/688-76-0x0000000000000000-mapping.dmp

Download
memory/760-94-0x0000000000000000-mapping.dmp

Download
memory/800-87-0x0000000000000000-mapping.dmp

Download
memory/820-80-0x0000000000000000-mapping.dmp

Download
memory/820-58-0x0000000000000000-mapping.dmp

Download
memory/824-103-0x0000000000000000-mapping.dmp

Download
memory/868-77-0x0000000000000000-mapping.dmp

Download
memory/868-56-0x0000000000000000-mapping.dmp

Download
memory/872-64-0x0000000000000000-mapping.dmp

Download
memory/900-95-0x0000000000000000-mapping.dmp

Download
memory/976-114-0x0000000000000000-mapping.dmp

Download
memory/976-69-0x0000000000000000-mapping.dmp

Download
memory/1000-74-0x0000000000000000-mapping.dmp

Download
memory/1000-118-0x0000000000000000-mapping.dmp

Download
memory/1008-62-0x0000000000000000-mapping.dmp

Download
memory/1020-106-0x0000000000000000-mapping.dmp

Download
memory/1020-65-0x0000000000000000-mapping.dmp

Download
memory/1028-83-0x0000000000000000-mapping.dmp

Download
memory/1064-67-0x0000000000000000-mapping.dmp

Download
memory/1144-61-0x0000000000000000-mapping.dmp

Download
memory/1244-101-0x0000000000000000-mapping.dmp

Download
memory/1320-91-0x0000000000000000-mapping.dmp

Download
memory/1324-71-0x0000000000000000-mapping.dmp

Download
memory/1364-79-0x0000000000000000-mapping.dmp

Download
memory/1372-59-0x0000000000000000-mapping.dmp

Download
memory/1436-112-0x0000000000000000-mapping.dmp

Download
memory/1436-89-0x0000000000000000-mapping.dmp

Download
memory/1440-117-0x0000000000000000-mapping.dmp

Download
memory/1496-68-0x0000000000000000-mapping.dmp

Download
memory/1544-111-0x0000000000000000-mapping.dmp

Download
memory/1568-102-0x0000000000000000-mapping.dmp

Download
memory/1588-96-0x0000000000000000-mapping.dmp

Download
memory/1620-78-0x0000000000000000-mapping.dmp

Download
memory/1648-104-0x0000000000000000-mapping.dmp

Download
memory/1668-84-0x0000000000000000-mapping.dmp

Download
memory/1676-105-0x0000000000000000-mapping.dmp

Download
memory/1692-86-0x0000000000000000-mapping.dmp

Download
memory/1692-108-0x0000000000000000-mapping.dmp

Download
memory/1696-70-0x0000000000000000-mapping.dmp

Download
memory/1704-75-0x0000000000000000-mapping.dmp

Download
memory/1720-115-0x0000000000000000-mapping.dmp

Download
memory/1736-93-0x0000000000000000-mapping.dmp

Download
memory/1740-63-0x0000000000000000-mapping.dmp

Download
memory/1768-97-0x0000000000000000-mapping.dmp

Download
memory/1856-81-0x0000000000000000-mapping.dmp

Download
memory/1920-55-0x0000000000000000-mapping.dmp

Download
memory/1960-109-0x0000000000000000-mapping.dmp

Download
memory/1968-113-0x0000000000000000-mapping.dmp

Download
memory/1988-82-0x0000000000000000-mapping.dmp

Download
memory/1996-85-0x0000000000000000-mapping.dmp

Download
memory/2000-88-0x0000000000000000-mapping.dmp

Download
memory/2004-72-0x0000000000000000-mapping.dmp

Download
memory/2012-73-0x0000000000000000-mapping.dmp

Download
memory/2032-99-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads