c1fbc69f6892aa18f81cfaf0fc889be96a9421324fbd87cde99cd06731d27615

General

Target

64new_cip6.exe
Size

309KB
MD5

4ee1b43ffdea06ff320b1dbfc7195087
SHA1

3efec2894e16fa21417808c99bedfa7ddbd5c881
SHA256

c1fbc69f6892aa18f81cfaf0fc889be96a9421324fbd87cde99cd06731d27615
SHA512

64c285f003d72c20a839b19584a1576fc8f4f11b3500c5969102781241760a1fdb5d341e4e3862227792752bf15a145ce99f94dde3ed8ad6147032f0b0ea04e8
SSDEEP

6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0W3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3Gaw7c

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

\??\A:\!-Recovery_Instructions-!.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for pricing and decryption software.</p> <p> Contact us by email:<p> <h2>Mikesupp77@outlook.com</h2> </p>If you do not receive a response within 24 hours, please contact us at our additional contacts:</p> <p> 1) Download for TOX CHAT https://tox.chat/download.html</p> <p> 2) Open chat<p> <p>Add ID Chat: </p><h2>3C9D49B928FDC3C15F0314217623A71B865909B308576B4B0D10AEA62C98677B4A3F160D5C93</h2> <p>If we did not answer you, leave the chat enabled, the operator will contact you!<p> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> Your ID: g7cLsCjchWV5hAiKHw2TfqqvHT9sVmyX5qEhXX6NQFGfCCTvZ9xxxYuTRcMgcXuLM9iwxQ29QpHFo8390qbi/mSMFBqYppzNDGogj71IS1Kdfiw5dQ5MjyLfmKL7cNabcdMXDlofbK6978UzrhR69keLlsauJO74U/29Mz77vGN2irKGO2atdFkTJfZZmkGS+qEGRDTswZlmbjSIdESld44HrB0YU37dRAtmYKo6vUIqIyLZH4HkIFXPZFErdBIn/rdNC/v4erZB7+fLcRRVpDmsKHevFazjMr2xScoxAVcUO+E6sxUq2Jph43CvV39H1+F8vQr+FcdfAXRG/1CeugalZbbT6MhU/2NJWVQvQOp0MHMfSGi435aoo+0htgvqOhB+SQvIw8ZqOklm3zZlOTNedjvLlAikxTlPPKLoedkxKQt9RkOdLQ/CyzNQ/S4jL1tv6Vs9rOy5obtIeLKYhTi6y5D1XlcrB73baP6BdutaPQ1VA5/sdbctruDqh9MvtofAey3QdQ0oc06+j4JbTy/CAuEGZpxP/w9H27+Fmm62yAjfiCfAhg6+wptZV+74dq7OVwLJghSGUnplxlt/dzyRXbqrcSjN79OJUx//IwjsXLWY0okhDtdbK+sZ6gPBPgHKXwKnb3JVTEI/EsEfndvfO2Nz+Sjj/p23orhgNmdy3LaWv38xRVFM8cVXgVDr87Fnnba8M8qUoz5FGYQLAvNU8GMJCPPhgQ9DNd7ohZnv1pOqwh+tcmXYtIazLhmr/IDlsWGmqjJOFK4bEqnum9zWNMGOmmSs0SSi40//S0sYD3xfrOCY/ntwj7lUctXGGrPeJtcNFwiy6jEURTV4XltAQsFTfwiLMujVRRbPqZmUDb5RFo1HNicJHxg3vyKkCUvDA+ZeCutPiWTF+CyDDGuHU0fGL0aAFRFSNUcIZRPecyXBsCEK/nZ4bsRQllKx3l2RqrTACyUdswpCTnsiQr88MJo8lwqw5Nw8NFBjfHaTanL5o8807YRHrig7bfrdXYUuzRr3XH/AuTR7lVhCkHxLAM63QquYv91aCIlEeGPzI7Ol0qPPk9QKJNsdYz6Su1K/aGcNw7vNkMurBz/MWTneiMd5dBLFpdzzeVNAMD158VUEeIIu8Gf+JKZ0IIaSkeMGgsD37oMnvTKn7XYyPzOHVapU6VmwwGdbY8O2tYD3mMlEGOJWrV/fK6W6rhO8MrzGiSjCI9/R+axgJkHIVpFXAEAIqsKX9CD/V3dDwedOSLQ3EFpBVrgY4tTE3pp8BeR/XlOtGf94znD83Ad1R+aRFDvSWcnWEk9NQYZu32QyhLhhcwFPelwaEAm+nWGQtD3RiaJ87LrBVj0/JbxOStCHx53tq0xqcQiogJLIHH19CVRSUgZe55eE73N2EifLKS8ip7Y6E1NmxPdi2/xhCzaGBidluSZN03E84UVE7kmpDrx2huMXTs2XUX0Tkr7/rYz5dGIiHu7aVNzSwVC8+M9acjbnREfVlUISZXnOZ5uoDNuCGSDNXGBo9lkzmu139at1EiPaxpe4qXys8T0x5QBmpaZcvxHvGdduyEJltfDeuoU4ce9WCECo0UY2nHcM46++vlrbAkWo4dJRZa7FzcpAnAbYkaH0L92JcFiyFxzwZOKnabo5NmflwCXRPTC0n42k1HngGwwRq6loRZqw4U1cui1P9mfTEB7WoQvNvAU=

Emails

<h2>Mikesupp77@outlook.com</h2>

URLs

https://tox.chat/download.html</p>

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

64new_cip6.exe

description pid process target process

PID 4268 created 676 4268 64new_cip6.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4812 bcdedit.exe
4992 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

5088 wbadmin.exe
1340 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3272 wbadmin.exe

description	pid	process	target process
PID 4268 created 676	4268	64new_cip6.exe	Explorer.EXE

pid	process
4812	bcdedit.exe
4992	bcdedit.exe

pid	process
5088	wbadmin.exe
1340	wbadmin.exe

pid	process
3272	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

64new_cip6.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ReceiveUpdate.crw => C:\Users\Admin\Pictures\ReceiveUpdate.crw.cipher6	64new_cip6.exe
File opened for modification	C:\Users\Admin\Pictures\SearchMount.tiff	64new_cip6.exe
File renamed	C:\Users\Admin\Pictures\SearchMount.tiff => C:\Users\Admin\Pictures\SearchMount.tiff.cipher6	64new_cip6.exe
File renamed	C:\Users\Admin\Pictures\StepResize.crw => C:\Users\Admin\Pictures\StepResize.crw.cipher6	64new_cip6.exe
File renamed	C:\Users\Admin\Pictures\UninstallPing.tif => C:\Users\Admin\Pictures\UninstallPing.tif.cipher6	64new_cip6.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

64new_cip6.exe

description	ioc	process
File opened (read-only)	\??\B:	64new_cip6.exe
File opened (read-only)	\??\E:	64new_cip6.exe
File opened (read-only)	\??\G:	64new_cip6.exe
File opened (read-only)	\??\M:	64new_cip6.exe
File opened (read-only)	\??\O:	64new_cip6.exe
File opened (read-only)	\??\I:	64new_cip6.exe
File opened (read-only)	\??\S:	64new_cip6.exe
File opened (read-only)	\??\W:	64new_cip6.exe
File opened (read-only)	\??\V:	64new_cip6.exe
File opened (read-only)	\??\Z:	64new_cip6.exe
File opened (read-only)	\??\A:	64new_cip6.exe
File opened (read-only)	\??\F:	64new_cip6.exe
File opened (read-only)	\??\L:	64new_cip6.exe
File opened (read-only)	\??\P:	64new_cip6.exe
File opened (read-only)	\??\T:	64new_cip6.exe
File opened (read-only)	\??\U:	64new_cip6.exe
File opened (read-only)	\??\X:	64new_cip6.exe
File opened (read-only)	\??\Y:	64new_cip6.exe
File opened (read-only)	\??\H:	64new_cip6.exe
File opened (read-only)	\??\J:	64new_cip6.exe
File opened (read-only)	\??\K:	64new_cip6.exe
File opened (read-only)	\??\N:	64new_cip6.exe
File opened (read-only)	\??\Q:	64new_cip6.exe
File opened (read-only)	\??\R:	64new_cip6.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2168 676 WerFault.exe Explorer.EXE
3376 3844 WerFault.exe explorer.exe

pid	pid_target	process	target process
2168	676	WerFault.exe	Explorer.EXE
3376	3844	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1320 vssadmin.exe

pid	process
1320	vssadmin.exe

Kills process with taskkill 16 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1560	taskkill.exe
704	taskkill.exe
1760	taskkill.exe
1424	taskkill.exe
624	taskkill.exe
2116	taskkill.exe
4432	taskkill.exe
3280	taskkill.exe
3772	taskkill.exe
3724	taskkill.exe
2660	taskkill.exe
3932	taskkill.exe
2120	taskkill.exe
4488	taskkill.exe
1432	taskkill.exe
3216	taskkill.exe

Modifies registry class 2 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{6D5AE515-087A-4862-BBC8-B66AE676AF6C}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

64new_cip6.exe

pid	process
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe
4268	64new_cip6.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exewbengine.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	3280	taskkill.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	704	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeBackupPrivilege	3104	vssvc.exe
Token: SeRestorePrivilege	3104	vssvc.exe
Token: SeAuditPrivilege	3104	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3572	WMIC.exe
Token: SeSecurityPrivilege	3572	WMIC.exe
Token: SeTakeOwnershipPrivilege	3572	WMIC.exe
Token: SeLoadDriverPrivilege	3572	WMIC.exe
Token: SeSystemProfilePrivilege	3572	WMIC.exe
Token: SeSystemtimePrivilege	3572	WMIC.exe
Token: SeProfSingleProcessPrivilege	3572	WMIC.exe
Token: SeIncBasePriorityPrivilege	3572	WMIC.exe
Token: SeCreatePagefilePrivilege	3572	WMIC.exe
Token: SeBackupPrivilege	3572	WMIC.exe
Token: SeRestorePrivilege	3572	WMIC.exe
Token: SeShutdownPrivilege	3572	WMIC.exe
Token: SeDebugPrivilege	3572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3572	WMIC.exe
Token: SeRemoteShutdownPrivilege	3572	WMIC.exe
Token: SeUndockPrivilege	3572	WMIC.exe
Token: SeManageVolumePrivilege	3572	WMIC.exe
Token: 33	3572	WMIC.exe
Token: 34	3572	WMIC.exe
Token: 35	3572	WMIC.exe
Token: 36	3572	WMIC.exe
Token: SeBackupPrivilege	1092	wbengine.exe
Token: SeRestorePrivilege	1092	wbengine.exe
Token: SeSecurityPrivilege	1092	wbengine.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe
Token: SeShutdownPrivilege	3844	explorer.exe
Token: SeCreatePagefilePrivilege	3844	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

explorer.exe

pid process

3844 explorer.exe
3844 explorer.exe
3844 explorer.exe
3844 explorer.exe
3844 explorer.exe
3844 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

3844 explorer.exe
3844 explorer.exe
3844 explorer.exe
3844 explorer.exe
3844 explorer.exe
3844 explorer.exe
3844 explorer.exe
3844 explorer.exe

pid	process
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe

pid	process
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe
3844	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

64new_cip6.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4268 wrote to memory of 5068	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 5068	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 5068	4268	64new_cip6.exe	cmd.exe
PID 5068 wrote to memory of 3236	5068	cmd.exe	cmd.exe
PID 5068 wrote to memory of 3236	5068	cmd.exe	cmd.exe
PID 4268 wrote to memory of 3924	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 3924	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 3924	4268	64new_cip6.exe	cmd.exe
PID 3924 wrote to memory of 4760	3924	cmd.exe	cmd.exe
PID 3924 wrote to memory of 4760	3924	cmd.exe	cmd.exe
PID 4760 wrote to memory of 624	4760	cmd.exe	taskkill.exe
PID 4760 wrote to memory of 624	4760	cmd.exe	taskkill.exe
PID 4268 wrote to memory of 4736	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 4736	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 4736	4268	64new_cip6.exe	cmd.exe
PID 4736 wrote to memory of 3656	4736	cmd.exe	cmd.exe
PID 4736 wrote to memory of 3656	4736	cmd.exe	cmd.exe
PID 3656 wrote to memory of 2116	3656	cmd.exe	taskkill.exe
PID 3656 wrote to memory of 2116	3656	cmd.exe	taskkill.exe
PID 4268 wrote to memory of 1548	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 1548	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 1548	4268	64new_cip6.exe	cmd.exe
PID 1548 wrote to memory of 4148	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 4148	1548	cmd.exe	cmd.exe
PID 4148 wrote to memory of 2120	4148	cmd.exe	taskkill.exe
PID 4148 wrote to memory of 2120	4148	cmd.exe	taskkill.exe
PID 4268 wrote to memory of 1792	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 1792	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 1792	4268	64new_cip6.exe	cmd.exe
PID 1792 wrote to memory of 1980	1792	cmd.exe	cmd.exe
PID 1792 wrote to memory of 1980	1792	cmd.exe	cmd.exe
PID 1980 wrote to memory of 1560	1980	cmd.exe	taskkill.exe
PID 1980 wrote to memory of 1560	1980	cmd.exe	taskkill.exe
PID 4268 wrote to memory of 1504	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 1504	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 1504	4268	64new_cip6.exe	cmd.exe
PID 1504 wrote to memory of 1936	1504	cmd.exe	cmd.exe
PID 1504 wrote to memory of 1936	1504	cmd.exe	cmd.exe
PID 1936 wrote to memory of 4488	1936	cmd.exe	taskkill.exe
PID 1936 wrote to memory of 4488	1936	cmd.exe	taskkill.exe
PID 4268 wrote to memory of 3784	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 3784	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 3784	4268	64new_cip6.exe	cmd.exe
PID 3784 wrote to memory of 3016	3784	cmd.exe	cmd.exe
PID 3784 wrote to memory of 3016	3784	cmd.exe	cmd.exe
PID 3016 wrote to memory of 4432	3016	cmd.exe	taskkill.exe
PID 3016 wrote to memory of 4432	3016	cmd.exe	taskkill.exe
PID 4268 wrote to memory of 380	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 380	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 380	4268	64new_cip6.exe	cmd.exe
PID 380 wrote to memory of 4756	380	cmd.exe	cmd.exe
PID 380 wrote to memory of 4756	380	cmd.exe	cmd.exe
PID 4756 wrote to memory of 3280	4756	cmd.exe	taskkill.exe
PID 4756 wrote to memory of 3280	4756	cmd.exe	taskkill.exe
PID 4268 wrote to memory of 4524	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 4524	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 4524	4268	64new_cip6.exe	cmd.exe
PID 4524 wrote to memory of 1908	4524	cmd.exe	cmd.exe
PID 4524 wrote to memory of 1908	4524	cmd.exe	cmd.exe
PID 1908 wrote to memory of 3724	1908	cmd.exe	taskkill.exe
PID 1908 wrote to memory of 3724	1908	cmd.exe	taskkill.exe
PID 4268 wrote to memory of 4260	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 4260	4268	64new_cip6.exe	cmd.exe
PID 4268 wrote to memory of 4260	4268	64new_cip6.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

64new_cip6.exe64new_cip6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip6.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe
"C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
3⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
4⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlwriter.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
3⤵
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
4⤵
PID:4288

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
3⤵
PID:3316

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
4⤵
PID:1496

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
PID:3108

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
4⤵
PID:3500

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
3⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
4⤵
PID:868

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
3⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
4⤵
PID:4236

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
3⤵
PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
4⤵
PID:772

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe
3⤵
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe
4⤵
PID:3968

C:\Windows\system32\taskkill.exe
taskkill -f -im postgres.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
3⤵
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
4⤵
PID:3572

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
5⤵
PID:2104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
6⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
3⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
4⤵
PID:3592

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
5⤵
PID:4708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
6⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
3⤵
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
4⤵
PID:932

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
5⤵
PID:1140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
6⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
3⤵
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
4⤵
PID:3208

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
5⤵
PID:636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
6⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
3⤵
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
4⤵
PID:1112

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
5⤵
PID:2204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
6⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
3⤵
PID:1444

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
4⤵
PID:1580

C:\Windows\system32\net.exe
net stop SQLBrowser
5⤵
PID:316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
6⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS
3⤵
PID:3416

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS
4⤵
PID:1312

C:\Windows\system32\net.exe
net stop ReportServer$ISARS
5⤵
PID:176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
3⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
4⤵
PID:2196

C:\Windows\system32\net.exe
net stop SQLWriter
5⤵
PID:3204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
6⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
4⤵
PID:4980

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet
3⤵
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet
4⤵
PID:3720

C:\Windows\system32\wbadmin.exe
wbadmin delete backup -keepVersions:0 -quiet
5⤵
- Deletes system backups
- Drops file in Windows directory
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
3⤵
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
4⤵
PID:4452

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
5⤵
- Deletes System State backups
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
3⤵
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
4⤵
PID:2104

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
4⤵
PID:2544

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
5⤵
- Deletes System State backups
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No
3⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No
4⤵
PID:812

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
5⤵
- Modifies boot configuration data using bcdedit
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
4⤵
PID:1140

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:4992

C:\Windows\SysWOW64\cipher.exe
cipher /w:\\?\C:
3⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe
\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip6.exe -network
2⤵
- System policy modification
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:4288

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 676 -s 7696
2⤵
- Program crash
PID:2168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
1⤵
PID:2628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 676 -ip 676
1⤵
PID:2720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1860

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3844

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3844 -s 2280
2⤵
- Program crash
PID:3376

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 3844 -ip 3844
1⤵
PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

2

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

4

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

5

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.cipher6
Filesize
624KB

MD5
f4c4ed0c4fb6cbf141c1c368aae13447

SHA1
2f049e453a19c97698087328c6698e63b89cce1d

SHA256
00d56da42bc7cd1717141cc529a8eb12d83d32dfbdffcb91ef4e65d721f8270c

SHA512
8994cfe9a0175c5fdfd1f3229de5d3c11534a1271edcfb31df4114cbd20ba81a69c873221bd637aa65054f79a436698d63c49481e7c27be14d1d5ad2f35c1513

Download Submit
memory/380-152-0x0000000000000000-mapping.dmp

Download
memory/624-136-0x0000000000000000-mapping.dmp

Download
memory/704-169-0x0000000000000000-mapping.dmp

Download
memory/772-177-0x0000000000000000-mapping.dmp

Download
memory/868-171-0x0000000000000000-mapping.dmp

Download
memory/892-164-0x0000000000000000-mapping.dmp

Download
memory/932-191-0x0000000000000000-mapping.dmp

Download
memory/1140-192-0x0000000000000000-mapping.dmp

Download
memory/1156-193-0x0000000000000000-mapping.dmp

Download
memory/1424-172-0x0000000000000000-mapping.dmp

Download
memory/1432-175-0x0000000000000000-mapping.dmp

Download
memory/1496-162-0x0000000000000000-mapping.dmp

Download
memory/1504-146-0x0000000000000000-mapping.dmp

Download
memory/1548-140-0x0000000000000000-mapping.dmp

Download
memory/1560-145-0x0000000000000000-mapping.dmp

Download
memory/1568-173-0x0000000000000000-mapping.dmp

Download
memory/1640-194-0x0000000000000000-mapping.dmp

Download
memory/1760-163-0x0000000000000000-mapping.dmp

Download
memory/1792-143-0x0000000000000000-mapping.dmp

Download
memory/1908-156-0x0000000000000000-mapping.dmp

Download
memory/1936-147-0x0000000000000000-mapping.dmp

Download
memory/1980-144-0x0000000000000000-mapping.dmp

Download
memory/2104-184-0x0000000000000000-mapping.dmp

Download
memory/2116-139-0x0000000000000000-mapping.dmp

Download
memory/2120-142-0x0000000000000000-mapping.dmp

Download
memory/2660-166-0x0000000000000000-mapping.dmp

Download
memory/2832-190-0x0000000000000000-mapping.dmp

Download
memory/2948-176-0x0000000000000000-mapping.dmp

Download
memory/3016-150-0x0000000000000000-mapping.dmp

Download
memory/3108-165-0x0000000000000000-mapping.dmp

Download
memory/3208-195-0x0000000000000000-mapping.dmp

Download
memory/3216-181-0x0000000000000000-mapping.dmp

Download
memory/3236-133-0x0000000000000000-mapping.dmp

Download
memory/3280-154-0x0000000000000000-mapping.dmp

Download
memory/3316-161-0x0000000000000000-mapping.dmp

Download
memory/3488-170-0x0000000000000000-mapping.dmp

Download
memory/3500-168-0x0000000000000000-mapping.dmp

Download
memory/3572-183-0x0000000000000000-mapping.dmp

Download
memory/3592-187-0x0000000000000000-mapping.dmp

Download
memory/3656-138-0x0000000000000000-mapping.dmp

Download
memory/3724-157-0x0000000000000000-mapping.dmp

Download
memory/3772-160-0x0000000000000000-mapping.dmp

Download
memory/3776-185-0x0000000000000000-mapping.dmp

Download
memory/3784-149-0x0000000000000000-mapping.dmp

Download
memory/3924-134-0x0000000000000000-mapping.dmp

Download
memory/3932-178-0x0000000000000000-mapping.dmp

Download
memory/3968-180-0x0000000000000000-mapping.dmp

Download
memory/4148-141-0x0000000000000000-mapping.dmp

Download
memory/4224-167-0x0000000000000000-mapping.dmp

Download
memory/4236-174-0x0000000000000000-mapping.dmp

Download
memory/4260-158-0x0000000000000000-mapping.dmp

Download
memory/4288-159-0x0000000000000000-mapping.dmp

Download
memory/4432-151-0x0000000000000000-mapping.dmp

Download
memory/4464-179-0x0000000000000000-mapping.dmp

Download
memory/4488-148-0x0000000000000000-mapping.dmp

Download
memory/4524-155-0x0000000000000000-mapping.dmp

Download
memory/4708-188-0x0000000000000000-mapping.dmp

Download
memory/4736-137-0x0000000000000000-mapping.dmp

Download
memory/4756-153-0x0000000000000000-mapping.dmp

Download
memory/4760-135-0x0000000000000000-mapping.dmp

Download
memory/4836-189-0x0000000000000000-mapping.dmp

Download
memory/4856-182-0x0000000000000000-mapping.dmp

Download
memory/5064-186-0x0000000000000000-mapping.dmp

Download
memory/5068-132-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads