Resubmissions
23-01-2023 15:59
230123-tfhcmaff5y 1030-11-2022 07:42
221130-jjqs3adc2x 1029-11-2022 11:01
221129-m4m5fsfd71 10Analysis
-
max time kernel
119s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip6.exe
Resource
win10v2004-20220812-en
General
-
Target
64new_cip6.exe
-
Size
309KB
-
MD5
4ee1b43ffdea06ff320b1dbfc7195087
-
SHA1
3efec2894e16fa21417808c99bedfa7ddbd5c881
-
SHA256
c1fbc69f6892aa18f81cfaf0fc889be96a9421324fbd87cde99cd06731d27615
-
SHA512
64c285f003d72c20a839b19584a1576fc8f4f11b3500c5969102781241760a1fdb5d341e4e3862227792752bf15a145ce99f94dde3ed8ad6147032f0b0ea04e8
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0W3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3Gaw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip6.exedescription pid process target process PID 1976 created 1264 1976 64new_cip6.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip6.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DenyConvert.tiff 64new_cip6.exe File renamed C:\Users\Admin\Pictures\DenyConvert.tiff => C:\Users\Admin\Pictures\DenyConvert.tiff.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\InvokeReceive.png => C:\Users\Admin\Pictures\InvokeReceive.png.cipher6 64new_cip6.exe File opened for modification C:\Users\Admin\Pictures\RenameAdd.tiff 64new_cip6.exe File renamed C:\Users\Admin\Pictures\SkipDebug.tif => C:\Users\Admin\Pictures\SkipDebug.tif.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\SuspendShow.png => C:\Users\Admin\Pictures\SuspendShow.png.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\CloseUnblock.crw => C:\Users\Admin\Pictures\CloseUnblock.crw.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\HideGrant.crw => C:\Users\Admin\Pictures\HideGrant.crw.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\RenameAdd.tiff => C:\Users\Admin\Pictures\RenameAdd.tiff.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\UseAssert.crw => C:\Users\Admin\Pictures\UseAssert.crw.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\WaitMove.raw => C:\Users\Admin\Pictures\WaitMove.raw.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\UnregisterImport.png => C:\Users\Admin\Pictures\UnregisterImport.png.cipher6 64new_cip6.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip6.exedescription ioc process File opened (read-only) \??\V: 64new_cip6.exe File opened (read-only) \??\W: 64new_cip6.exe File opened (read-only) \??\F: 64new_cip6.exe File opened (read-only) \??\I: 64new_cip6.exe File opened (read-only) \??\M: 64new_cip6.exe File opened (read-only) \??\N: 64new_cip6.exe File opened (read-only) \??\P: 64new_cip6.exe File opened (read-only) \??\U: 64new_cip6.exe File opened (read-only) \??\K: 64new_cip6.exe File opened (read-only) \??\R: 64new_cip6.exe File opened (read-only) \??\T: 64new_cip6.exe File opened (read-only) \??\Y: 64new_cip6.exe File opened (read-only) \??\Z: 64new_cip6.exe File opened (read-only) \??\B: 64new_cip6.exe File opened (read-only) \??\E: 64new_cip6.exe File opened (read-only) \??\H: 64new_cip6.exe File opened (read-only) \??\O: 64new_cip6.exe File opened (read-only) \??\Q: 64new_cip6.exe File opened (read-only) \??\X: 64new_cip6.exe File opened (read-only) \??\A: 64new_cip6.exe File opened (read-only) \??\G: 64new_cip6.exe File opened (read-only) \??\J: 64new_cip6.exe File opened (read-only) \??\L: 64new_cip6.exe File opened (read-only) \??\S: 64new_cip6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1200 1264 WerFault.exe Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1288 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 572 taskkill.exe 1772 taskkill.exe 612 taskkill.exe 364 taskkill.exe 316 taskkill.exe 1424 taskkill.exe 1180 taskkill.exe 1384 taskkill.exe 1424 taskkill.exe 844 taskkill.exe 600 taskkill.exe 524 taskkill.exe 1932 taskkill.exe 276 taskkill.exe 1688 taskkill.exe 1496 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64new_cip6.exepid process 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe 1976 64new_cip6.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1424 taskkill.exe Token: SeDebugPrivilege 1180 taskkill.exe Token: SeDebugPrivilege 572 taskkill.exe Token: SeDebugPrivilege 844 taskkill.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeDebugPrivilege 276 taskkill.exe Token: SeDebugPrivilege 1384 taskkill.exe Token: SeDebugPrivilege 1424 taskkill.exe Token: SeDebugPrivilege 1772 taskkill.exe Token: SeDebugPrivilege 1688 taskkill.exe Token: SeDebugPrivilege 600 taskkill.exe Token: SeDebugPrivilege 524 taskkill.exe Token: SeDebugPrivilege 612 taskkill.exe Token: SeDebugPrivilege 1496 taskkill.exe Token: SeDebugPrivilege 364 taskkill.exe Token: SeDebugPrivilege 316 taskkill.exe Token: SeBackupPrivilege 1640 vssvc.exe Token: SeRestorePrivilege 1640 vssvc.exe Token: SeAuditPrivilege 1640 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip6.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1976 wrote to memory of 1992 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1992 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1992 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1992 1976 64new_cip6.exe cmd.exe PID 1992 wrote to memory of 1756 1992 cmd.exe cmd.exe PID 1992 wrote to memory of 1756 1992 cmd.exe cmd.exe PID 1992 wrote to memory of 1756 1992 cmd.exe cmd.exe PID 1992 wrote to memory of 1756 1992 cmd.exe cmd.exe PID 1976 wrote to memory of 1240 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1240 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1240 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1240 1976 64new_cip6.exe cmd.exe PID 1240 wrote to memory of 1488 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1488 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1488 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1488 1240 cmd.exe cmd.exe PID 1488 wrote to memory of 1424 1488 cmd.exe taskkill.exe PID 1488 wrote to memory of 1424 1488 cmd.exe taskkill.exe PID 1488 wrote to memory of 1424 1488 cmd.exe taskkill.exe PID 1976 wrote to memory of 1712 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1712 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1712 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1712 1976 64new_cip6.exe cmd.exe PID 1712 wrote to memory of 1500 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 1500 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 1500 1712 cmd.exe cmd.exe PID 1712 wrote to memory of 1500 1712 cmd.exe cmd.exe PID 1500 wrote to memory of 1180 1500 cmd.exe taskkill.exe PID 1500 wrote to memory of 1180 1500 cmd.exe taskkill.exe PID 1500 wrote to memory of 1180 1500 cmd.exe taskkill.exe PID 1976 wrote to memory of 1020 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1020 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1020 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1020 1976 64new_cip6.exe cmd.exe PID 1020 wrote to memory of 1408 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 1408 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 1408 1020 cmd.exe cmd.exe PID 1020 wrote to memory of 1408 1020 cmd.exe cmd.exe PID 1408 wrote to memory of 572 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 572 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 572 1408 cmd.exe taskkill.exe PID 1976 wrote to memory of 1292 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1292 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1292 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 1292 1976 64new_cip6.exe cmd.exe PID 1292 wrote to memory of 640 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 640 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 640 1292 cmd.exe cmd.exe PID 1292 wrote to memory of 640 1292 cmd.exe cmd.exe PID 640 wrote to memory of 844 640 cmd.exe taskkill.exe PID 640 wrote to memory of 844 640 cmd.exe taskkill.exe PID 640 wrote to memory of 844 640 cmd.exe taskkill.exe PID 1976 wrote to memory of 688 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 688 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 688 1976 64new_cip6.exe cmd.exe PID 1976 wrote to memory of 688 1976 64new_cip6.exe cmd.exe PID 688 wrote to memory of 1820 688 cmd.exe cmd.exe PID 688 wrote to memory of 1820 688 cmd.exe cmd.exe PID 688 wrote to memory of 1820 688 cmd.exe cmd.exe PID 688 wrote to memory of 1820 688 cmd.exe cmd.exe PID 1820 wrote to memory of 1932 1820 cmd.exe taskkill.exe PID 1820 wrote to memory of 1932 1820 cmd.exe taskkill.exe PID 1820 wrote to memory of 1932 1820 cmd.exe taskkill.exe PID 1976 wrote to memory of 1116 1976 64new_cip6.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip6.exe64new_cip6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip6.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1264 -s 11362⤵
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-93-0x0000000000000000-mapping.dmp
-
memory/268-91-0x0000000000000000-mapping.dmp
-
memory/272-103-0x0000000000000000-mapping.dmp
-
memory/276-74-0x0000000000000000-mapping.dmp
-
memory/316-104-0x0000000000000000-mapping.dmp
-
memory/364-101-0x0000000000000000-mapping.dmp
-
memory/524-92-0x0000000000000000-mapping.dmp
-
memory/572-108-0x0000000000000000-mapping.dmp
-
memory/572-85-0x0000000000000000-mapping.dmp
-
memory/572-65-0x0000000000000000-mapping.dmp
-
memory/576-114-0x0000000000000000-mapping.dmp
-
memory/600-89-0x0000000000000000-mapping.dmp
-
memory/612-95-0x0000000000000000-mapping.dmp
-
memory/632-79-0x0000000000000000-mapping.dmp
-
memory/640-112-0x0000000000000000-mapping.dmp
-
memory/640-67-0x0000000000000000-mapping.dmp
-
memory/676-88-0x0000000000000000-mapping.dmp
-
memory/688-69-0x0000000000000000-mapping.dmp
-
memory/844-68-0x0000000000000000-mapping.dmp
-
memory/940-73-0x0000000000000000-mapping.dmp
-
memory/972-97-0x0000000000000000-mapping.dmp
-
memory/980-100-0x0000000000000000-mapping.dmp
-
memory/1020-63-0x0000000000000000-mapping.dmp
-
memory/1044-109-0x0000000000000000-mapping.dmp
-
memory/1116-72-0x0000000000000000-mapping.dmp
-
memory/1132-84-0x0000000000000000-mapping.dmp
-
memory/1180-62-0x0000000000000000-mapping.dmp
-
memory/1180-82-0x0000000000000000-mapping.dmp
-
memory/1204-96-0x0000000000000000-mapping.dmp
-
memory/1240-57-0x0000000000000000-mapping.dmp
-
memory/1292-66-0x0000000000000000-mapping.dmp
-
memory/1292-111-0x0000000000000000-mapping.dmp
-
memory/1336-78-0x0000000000000000-mapping.dmp
-
memory/1364-81-0x0000000000000000-mapping.dmp
-
memory/1384-77-0x0000000000000000-mapping.dmp
-
memory/1388-110-0x0000000000000000-mapping.dmp
-
memory/1408-64-0x0000000000000000-mapping.dmp
-
memory/1424-80-0x0000000000000000-mapping.dmp
-
memory/1424-59-0x0000000000000000-mapping.dmp
-
memory/1488-58-0x0000000000000000-mapping.dmp
-
memory/1496-98-0x0000000000000000-mapping.dmp
-
memory/1500-61-0x0000000000000000-mapping.dmp
-
memory/1516-102-0x0000000000000000-mapping.dmp
-
memory/1572-118-0x0000000000000000-mapping.dmp
-
memory/1584-99-0x0000000000000000-mapping.dmp
-
memory/1624-107-0x0000000000000000-mapping.dmp
-
memory/1640-94-0x0000000000000000-mapping.dmp
-
memory/1648-117-0x0000000000000000-mapping.dmp
-
memory/1688-86-0x0000000000000000-mapping.dmp
-
memory/1712-60-0x0000000000000000-mapping.dmp
-
memory/1720-106-0x0000000000000000-mapping.dmp
-
memory/1732-115-0x0000000000000000-mapping.dmp
-
memory/1752-113-0x0000000000000000-mapping.dmp
-
memory/1756-56-0x0000000000000000-mapping.dmp
-
memory/1764-105-0x0000000000000000-mapping.dmp
-
memory/1772-83-0x0000000000000000-mapping.dmp
-
memory/1792-90-0x0000000000000000-mapping.dmp
-
memory/1820-70-0x0000000000000000-mapping.dmp
-
memory/1888-75-0x0000000000000000-mapping.dmp
-
memory/1932-71-0x0000000000000000-mapping.dmp
-
memory/1932-116-0x0000000000000000-mapping.dmp
-
memory/1976-54-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1984-87-0x0000000000000000-mapping.dmp
-
memory/1992-76-0x0000000000000000-mapping.dmp
-
memory/1992-55-0x0000000000000000-mapping.dmp