Resubmissions
29-11-2022 11:01
221129-m4n2rafd8v 10Analysis
-
max time kernel
137s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip8.exe
Resource
win10v2004-20220812-en
General
-
Target
64new_cip8.exe
-
Size
309KB
-
MD5
681ba901bb6deb49ecdc83c9e5dcc548
-
SHA1
5553534db3d538adab933a74e1399357616cfe4f
-
SHA256
c66ba850b29e7d9302621a209882a0f86bdd158faba936c7a045d82c3669bcd0
-
SHA512
5d0d01b68f82e96e5d872043d9274b16f4b83a7998136deb20c1d4c2e4c5be298cc786e4ae17ad7b587538ec963cc70443836a60132c000f010beb69d008fb50
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l003WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++38aw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip8.exedescription pid process target process PID 1388 created 1244 1388 64new_cip8.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip8.exedescription ioc process File renamed C:\Users\Admin\Pictures\BlockClose.png => C:\Users\Admin\Pictures\BlockClose.png.cipher8 64new_cip8.exe File renamed C:\Users\Admin\Pictures\ResolveSync.crw => C:\Users\Admin\Pictures\ResolveSync.crw.cipher8 64new_cip8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip8.exedescription ioc process File opened (read-only) \??\G: 64new_cip8.exe File opened (read-only) \??\L: 64new_cip8.exe File opened (read-only) \??\W: 64new_cip8.exe File opened (read-only) \??\Y: 64new_cip8.exe File opened (read-only) \??\B: 64new_cip8.exe File opened (read-only) \??\O: 64new_cip8.exe File opened (read-only) \??\A: 64new_cip8.exe File opened (read-only) \??\I: 64new_cip8.exe File opened (read-only) \??\J: 64new_cip8.exe File opened (read-only) \??\M: 64new_cip8.exe File opened (read-only) \??\N: 64new_cip8.exe File opened (read-only) \??\P: 64new_cip8.exe File opened (read-only) \??\S: 64new_cip8.exe File opened (read-only) \??\X: 64new_cip8.exe File opened (read-only) \??\E: 64new_cip8.exe File opened (read-only) \??\H: 64new_cip8.exe File opened (read-only) \??\K: 64new_cip8.exe File opened (read-only) \??\Q: 64new_cip8.exe File opened (read-only) \??\R: 64new_cip8.exe File opened (read-only) \??\T: 64new_cip8.exe File opened (read-only) \??\U: 64new_cip8.exe File opened (read-only) \??\V: 64new_cip8.exe File opened (read-only) \??\F: 64new_cip8.exe File opened (read-only) \??\Z: 64new_cip8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1112 1244 WerFault.exe Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1596 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1548 taskkill.exe 1756 taskkill.exe 1200 taskkill.exe 708 taskkill.exe 1536 taskkill.exe 1748 taskkill.exe 560 taskkill.exe 1700 taskkill.exe 672 taskkill.exe 1100 taskkill.exe 2036 taskkill.exe 112 taskkill.exe 1608 taskkill.exe 984 taskkill.exe 840 taskkill.exe 1060 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
64new_cip8.exepid process 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe 1388 64new_cip8.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1200 taskkill.exe Token: SeDebugPrivilege 708 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 672 taskkill.exe Token: SeDebugPrivilege 1100 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 112 taskkill.exe Token: SeDebugPrivilege 840 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1536 taskkill.exe Token: SeDebugPrivilege 1748 taskkill.exe Token: SeDebugPrivilege 560 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe Token: SeDebugPrivilege 984 taskkill.exe Token: SeDebugPrivilege 1700 taskkill.exe Token: SeDebugPrivilege 1756 taskkill.exe Token: SeBackupPrivilege 1852 vssvc.exe Token: SeRestorePrivilege 1852 vssvc.exe Token: SeAuditPrivilege 1852 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip8.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1388 wrote to memory of 1552 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 1552 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 1552 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 1552 1388 64new_cip8.exe cmd.exe PID 1552 wrote to memory of 1400 1552 cmd.exe cmd.exe PID 1552 wrote to memory of 1400 1552 cmd.exe cmd.exe PID 1552 wrote to memory of 1400 1552 cmd.exe cmd.exe PID 1552 wrote to memory of 1400 1552 cmd.exe cmd.exe PID 1388 wrote to memory of 1240 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 1240 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 1240 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 1240 1388 64new_cip8.exe cmd.exe PID 1240 wrote to memory of 1204 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1204 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1204 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 1204 1240 cmd.exe cmd.exe PID 1204 wrote to memory of 1200 1204 cmd.exe taskkill.exe PID 1204 wrote to memory of 1200 1204 cmd.exe taskkill.exe PID 1204 wrote to memory of 1200 1204 cmd.exe taskkill.exe PID 1388 wrote to memory of 1768 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 1768 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 1768 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 1768 1388 64new_cip8.exe cmd.exe PID 1768 wrote to memory of 1856 1768 cmd.exe cmd.exe PID 1768 wrote to memory of 1856 1768 cmd.exe cmd.exe PID 1768 wrote to memory of 1856 1768 cmd.exe cmd.exe PID 1768 wrote to memory of 1856 1768 cmd.exe cmd.exe PID 1856 wrote to memory of 708 1856 cmd.exe taskkill.exe PID 1856 wrote to memory of 708 1856 cmd.exe taskkill.exe PID 1856 wrote to memory of 708 1856 cmd.exe taskkill.exe PID 1388 wrote to memory of 804 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 804 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 804 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 804 1388 64new_cip8.exe cmd.exe PID 804 wrote to memory of 1112 804 cmd.exe cmd.exe PID 804 wrote to memory of 1112 804 cmd.exe cmd.exe PID 804 wrote to memory of 1112 804 cmd.exe cmd.exe PID 804 wrote to memory of 1112 804 cmd.exe cmd.exe PID 1112 wrote to memory of 1548 1112 cmd.exe taskkill.exe PID 1112 wrote to memory of 1548 1112 cmd.exe taskkill.exe PID 1112 wrote to memory of 1548 1112 cmd.exe taskkill.exe PID 1388 wrote to memory of 316 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 316 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 316 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 316 1388 64new_cip8.exe cmd.exe PID 316 wrote to memory of 1428 316 cmd.exe cmd.exe PID 316 wrote to memory of 1428 316 cmd.exe cmd.exe PID 316 wrote to memory of 1428 316 cmd.exe cmd.exe PID 316 wrote to memory of 1428 316 cmd.exe cmd.exe PID 1428 wrote to memory of 672 1428 cmd.exe taskkill.exe PID 1428 wrote to memory of 672 1428 cmd.exe taskkill.exe PID 1428 wrote to memory of 672 1428 cmd.exe taskkill.exe PID 1388 wrote to memory of 344 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 344 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 344 1388 64new_cip8.exe cmd.exe PID 1388 wrote to memory of 344 1388 64new_cip8.exe cmd.exe PID 344 wrote to memory of 2012 344 cmd.exe cmd.exe PID 344 wrote to memory of 2012 344 cmd.exe cmd.exe PID 344 wrote to memory of 2012 344 cmd.exe cmd.exe PID 344 wrote to memory of 2012 344 cmd.exe cmd.exe PID 2012 wrote to memory of 1100 2012 cmd.exe taskkill.exe PID 2012 wrote to memory of 1100 2012 cmd.exe taskkill.exe PID 2012 wrote to memory of 1100 2012 cmd.exe taskkill.exe PID 1388 wrote to memory of 1680 1388 64new_cip8.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip8.exe64new_cip8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1002⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1005⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1244 -s 13522⤵
- Program crash
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet stop SQLWriter1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-77-0x0000000000000000-mapping.dmp
-
memory/316-66-0x0000000000000000-mapping.dmp
-
memory/344-69-0x0000000000000000-mapping.dmp
-
memory/548-85-0x0000000000000000-mapping.dmp
-
memory/560-92-0x0000000000000000-mapping.dmp
-
memory/568-106-0x0000000000000000-mapping.dmp
-
memory/576-108-0x0000000000000000-mapping.dmp
-
memory/584-109-0x0000000000000000-mapping.dmp
-
memory/628-103-0x0000000000000000-mapping.dmp
-
memory/672-68-0x0000000000000000-mapping.dmp
-
memory/708-62-0x0000000000000000-mapping.dmp
-
memory/804-63-0x0000000000000000-mapping.dmp
-
memory/832-88-0x0000000000000000-mapping.dmp
-
memory/840-80-0x0000000000000000-mapping.dmp
-
memory/968-75-0x0000000000000000-mapping.dmp
-
memory/980-87-0x0000000000000000-mapping.dmp
-
memory/980-117-0x0000000000000000-mapping.dmp
-
memory/984-98-0x0000000000000000-mapping.dmp
-
memory/1008-107-0x0000000000000000-mapping.dmp
-
memory/1056-97-0x0000000000000000-mapping.dmp
-
memory/1060-95-0x0000000000000000-mapping.dmp
-
memory/1100-71-0x0000000000000000-mapping.dmp
-
memory/1112-64-0x0000000000000000-mapping.dmp
-
memory/1200-59-0x0000000000000000-mapping.dmp
-
memory/1204-58-0x0000000000000000-mapping.dmp
-
memory/1240-57-0x0000000000000000-mapping.dmp
-
memory/1260-91-0x0000000000000000-mapping.dmp
-
memory/1264-94-0x0000000000000000-mapping.dmp
-
memory/1300-81-0x0000000000000000-mapping.dmp
-
memory/1344-82-0x0000000000000000-mapping.dmp
-
memory/1344-105-0x0000000000000000-mapping.dmp
-
memory/1384-84-0x0000000000000000-mapping.dmp
-
memory/1388-54-0x0000000075E11000-0x0000000075E13000-memory.dmpFilesize
8KB
-
memory/1400-78-0x0000000000000000-mapping.dmp
-
memory/1400-56-0x0000000000000000-mapping.dmp
-
memory/1428-67-0x0000000000000000-mapping.dmp
-
memory/1428-90-0x0000000000000000-mapping.dmp
-
memory/1536-86-0x0000000000000000-mapping.dmp
-
memory/1548-65-0x0000000000000000-mapping.dmp
-
memory/1552-100-0x0000000000000000-mapping.dmp
-
memory/1552-55-0x0000000000000000-mapping.dmp
-
memory/1592-113-0x0000000000000000-mapping.dmp
-
memory/1596-111-0x0000000000000000-mapping.dmp
-
memory/1604-112-0x0000000000000000-mapping.dmp
-
memory/1608-83-0x0000000000000000-mapping.dmp
-
memory/1632-118-0x0000000000000000-mapping.dmp
-
memory/1680-72-0x0000000000000000-mapping.dmp
-
memory/1700-101-0x0000000000000000-mapping.dmp
-
memory/1736-102-0x0000000000000000-mapping.dmp
-
memory/1736-79-0x0000000000000000-mapping.dmp
-
memory/1748-89-0x0000000000000000-mapping.dmp
-
memory/1756-104-0x0000000000000000-mapping.dmp
-
memory/1768-110-0x0000000000000000-mapping.dmp
-
memory/1768-60-0x0000000000000000-mapping.dmp
-
memory/1788-114-0x0000000000000000-mapping.dmp
-
memory/1792-99-0x0000000000000000-mapping.dmp
-
memory/1792-76-0x0000000000000000-mapping.dmp
-
memory/1824-116-0x0000000000000000-mapping.dmp
-
memory/1856-61-0x0000000000000000-mapping.dmp
-
memory/1932-73-0x0000000000000000-mapping.dmp
-
memory/1932-96-0x0000000000000000-mapping.dmp
-
memory/1988-115-0x0000000000000000-mapping.dmp
-
memory/2012-70-0x0000000000000000-mapping.dmp
-
memory/2012-93-0x0000000000000000-mapping.dmp
-
memory/2036-74-0x0000000000000000-mapping.dmp