c66ba850b29e7d9302621a209882a0f86bdd158faba936c7a045d82c3669bcd0

General

Target

64new_cip8.exe
Size

309KB
MD5

681ba901bb6deb49ecdc83c9e5dcc548
SHA1

5553534db3d538adab933a74e1399357616cfe4f
SHA256

c66ba850b29e7d9302621a209882a0f86bdd158faba936c7a045d82c3669bcd0
SHA512

5d0d01b68f82e96e5d872043d9274b16f4b83a7998136deb20c1d4c2e4c5be298cc786e4ae17ad7b587538ec963cc70443836a60132c000f010beb69d008fb50
SSDEEP

6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l003WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++38aw7c

Score

10^/10

ransomware

Malware Config

Extracted

Path

\??\A:\!-Recovery_Instructions-!.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for pricing and decryption software.</p> <p> Contact us by email:<p> <h2>Mikesupp77@outlook.com</h2> </p>If you do not receive a response within 24 hours, please contact us at our additional contacts:</p> <p> 1) Download for TOX CHAT https://tox.chat/download.html</p> <p> 2) Open chat<p> <p>Add ID Chat: </p><h2>3C9D49B928FDC3C15F0314217623A71B865909B308576B4B0D10AEA62C98677B4A3F160D5C93</h2> <p>If we did not answer you, leave the chat enabled, the operator will contact you!<p> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> Your ID: Zz3fRxJHvgAVuL0fejKU7/k/IwWYApoHRlPyHwEHFZI1jpTmxjVtiFWFFiLBsXdnUKxhHZzoYsqM4BCv1M0XWQgJ/LzQgrluqp9EfOZ6brOj2l/TyUA9v4F/1cA56n8TAOsttG+3MufbhZgOtO2QxJ/piFciVoeuxSgZN8fIDC1CUL7T4vXi0bBMZt1i+L+kEnBuxjin1w26AtQVYYtLMSag+bptKaJOtOO36Jo9OttWnJTyR+8YF5wc5Mmu0NYNIAqK9OR0dPKKfdSCEjFSnwHwxeouGFkp/Nbtn5XGKELox9UGd34p+tD77lw2VMrr1zlVCO+jd/owP5Jh4wS3QRlufwzyg4avMe5RsWyLt17XUQNEY2oBm0ejW0bix0tbS1dzE5acygsHSeaSVr+7CPclBFbl8vmtpJSFxV8V2H93w7TiOrHj5Qbtx65DvEq1KXgaGWHkcOiwlM2tZbTCsMRoO6zrM991gaawl55FF6+/5rlr9evw2/W6YtZ1yagJzBkSgdp2pPVxQdKw1dCNzwAN9LPwCOaJXSwB+lmgjf1TOWMo7rC7Sc9MZ1fInEuI24//QNyLE+5dUy5c6w4Z6uW0SSbkL+9wfOISHSVPn4K2WKfPe1rn0g7xAzH5uFB38tJAsFtgopl3dtT7CDLOkeOw+mSqDxNkKjjmtZHoFiHTKNaD3Lx4fTey+LSkZ299uGehLvH1xMZMaCddyAg6jYRtyfHOFuVX1kl7HEiNi/Vpm+qp1Xq0LW/MVYX4QTMAe/6RlPaU0jMBlvoDz0akAN/LwMmO7BcKzoSNpf7mbkcg/CDKM1IKOObgIX2rIQR1i7Rz7ChSiJlm4mcH38alZkvwPP3QWuTkY8RQVQMnLNnZ7ZX/P2b1vDFHZtRIrE+vzniu66REGrODNqVdNo8H66KvjTJrgQpG0LPOTSfu9q5NMWAvoA6zS8XFdHvFmS54YWkJ8Ie34y3VmQ5zDUbt383TAPJvY/PGSOPyGeXWWGhF9ZAMUkUtDTZmLVfeUjxwDC0h8QdQVJBE9EIXKtEAoZIMl+hNJ+Z8NUXj8FYNzBnpi45G52MJy1iar2patjMo8D/+fvNrYBbPxdt+G1UUPs5Aj8KHEBP4AW/j87SeVgCqH0fIU6nd13k645mn3Lay027ff/cl9OPk/zxR5Ri0UoQdRXymikx7N79D4qhnVsGe4LWzejyDRMazDHilnNCoxlodMbPAVbzhwm9UU5GoQG0/YLFrpDvJ5aQCOuKF7Ko68IcL4p2PnWvDx3x/kbvh82du6m1MQTCGu8ZGc5ADn+B3kB1o1XDtPorvKEwStjd+Pk658ckkeKda1esaXNjjsVhlfcxAGxWYEAw3qBD7oU9WdIPil9aneTjB42R+EIry29rXHNbfHPo3ux7WUG2A3i7ZSUiNsyckxpLPS25nYs50iTQUYBpWWj5g7wJQkxpU4ynklS6ZSIJzknfT/YVIRvX/BFf7MB/WtGf7dXxycdGQHEKC+MJir/pIzYMlxKjh4kUxs2554K4PcUT01anCPwjLOr+yIeU27zSrj89cEUkFRKk9UAxtWZBsRqkQa/yU8+xE5OMoBM/+flJaCIvsCci71BTPltA3GkfetY030QfgxqgvPGx/sN7Wb82Zu8Wp0PdM0714/w3NLviPKZD1Dhd6v2bXKtvFDjybH5ejPFjG9uErTxd1FL0zmLgmU9g=

Emails

<h2>Mikesupp77@outlook.com</h2>

URLs

https://tox.chat/download.html</p>

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

64new_cip8.exe

description pid process target process

PID 1388 created 1244 1388 64new_cip8.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

description	pid	process	target process
PID 1388 created 1244	1388	64new_cip8.exe	Explorer.EXE

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

64new_cip8.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BlockClose.png => C:\Users\Admin\Pictures\BlockClose.png.cipher8	64new_cip8.exe
File renamed	C:\Users\Admin\Pictures\ResolveSync.crw => C:\Users\Admin\Pictures\ResolveSync.crw.cipher8	64new_cip8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

64new_cip8.exe

description	ioc	process
File opened (read-only)	\??\G:	64new_cip8.exe
File opened (read-only)	\??\L:	64new_cip8.exe
File opened (read-only)	\??\W:	64new_cip8.exe
File opened (read-only)	\??\Y:	64new_cip8.exe
File opened (read-only)	\??\B:	64new_cip8.exe
File opened (read-only)	\??\O:	64new_cip8.exe
File opened (read-only)	\??\A:	64new_cip8.exe
File opened (read-only)	\??\I:	64new_cip8.exe
File opened (read-only)	\??\J:	64new_cip8.exe
File opened (read-only)	\??\M:	64new_cip8.exe
File opened (read-only)	\??\N:	64new_cip8.exe
File opened (read-only)	\??\P:	64new_cip8.exe
File opened (read-only)	\??\S:	64new_cip8.exe
File opened (read-only)	\??\X:	64new_cip8.exe
File opened (read-only)	\??\E:	64new_cip8.exe
File opened (read-only)	\??\H:	64new_cip8.exe
File opened (read-only)	\??\K:	64new_cip8.exe
File opened (read-only)	\??\Q:	64new_cip8.exe
File opened (read-only)	\??\R:	64new_cip8.exe
File opened (read-only)	\??\T:	64new_cip8.exe
File opened (read-only)	\??\U:	64new_cip8.exe
File opened (read-only)	\??\V:	64new_cip8.exe
File opened (read-only)	\??\F:	64new_cip8.exe
File opened (read-only)	\??\Z:	64new_cip8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1112 1244 WerFault.exe Explorer.EXE
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1596 vssadmin.exe

pid	pid_target	process	target process
1112	1244	WerFault.exe	Explorer.EXE

pid	process
1596	vssadmin.exe

Kills process with taskkill 16 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1548	taskkill.exe
1756	taskkill.exe
1200	taskkill.exe
708	taskkill.exe
1536	taskkill.exe
1748	taskkill.exe
560	taskkill.exe
1700	taskkill.exe
672	taskkill.exe
1100	taskkill.exe
2036	taskkill.exe
112	taskkill.exe
1608	taskkill.exe
984	taskkill.exe
840	taskkill.exe
1060	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

64new_cip8.exe

pid	process
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe
1388	64new_cip8.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	708	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeBackupPrivilege	1852	vssvc.exe
Token: SeRestorePrivilege	1852	vssvc.exe
Token: SeAuditPrivilege	1852	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

64new_cip8.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1388 wrote to memory of 1552	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 1552	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 1552	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 1552	1388	64new_cip8.exe	cmd.exe
PID 1552 wrote to memory of 1400	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 1400	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 1400	1552	cmd.exe	cmd.exe
PID 1552 wrote to memory of 1400	1552	cmd.exe	cmd.exe
PID 1388 wrote to memory of 1240	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 1240	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 1240	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 1240	1388	64new_cip8.exe	cmd.exe
PID 1240 wrote to memory of 1204	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 1204	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 1204	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 1204	1240	cmd.exe	cmd.exe
PID 1204 wrote to memory of 1200	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 1200	1204	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 1200	1204	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 1768	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 1768	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 1768	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 1768	1388	64new_cip8.exe	cmd.exe
PID 1768 wrote to memory of 1856	1768	cmd.exe	cmd.exe
PID 1768 wrote to memory of 1856	1768	cmd.exe	cmd.exe
PID 1768 wrote to memory of 1856	1768	cmd.exe	cmd.exe
PID 1768 wrote to memory of 1856	1768	cmd.exe	cmd.exe
PID 1856 wrote to memory of 708	1856	cmd.exe	taskkill.exe
PID 1856 wrote to memory of 708	1856	cmd.exe	taskkill.exe
PID 1856 wrote to memory of 708	1856	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 804	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 804	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 804	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 804	1388	64new_cip8.exe	cmd.exe
PID 804 wrote to memory of 1112	804	cmd.exe	cmd.exe
PID 804 wrote to memory of 1112	804	cmd.exe	cmd.exe
PID 804 wrote to memory of 1112	804	cmd.exe	cmd.exe
PID 804 wrote to memory of 1112	804	cmd.exe	cmd.exe
PID 1112 wrote to memory of 1548	1112	cmd.exe	taskkill.exe
PID 1112 wrote to memory of 1548	1112	cmd.exe	taskkill.exe
PID 1112 wrote to memory of 1548	1112	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 316	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 316	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 316	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 316	1388	64new_cip8.exe	cmd.exe
PID 316 wrote to memory of 1428	316	cmd.exe	cmd.exe
PID 316 wrote to memory of 1428	316	cmd.exe	cmd.exe
PID 316 wrote to memory of 1428	316	cmd.exe	cmd.exe
PID 316 wrote to memory of 1428	316	cmd.exe	cmd.exe
PID 1428 wrote to memory of 672	1428	cmd.exe	taskkill.exe
PID 1428 wrote to memory of 672	1428	cmd.exe	taskkill.exe
PID 1428 wrote to memory of 672	1428	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 344	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 344	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 344	1388	64new_cip8.exe	cmd.exe
PID 1388 wrote to memory of 344	1388	64new_cip8.exe	cmd.exe
PID 344 wrote to memory of 2012	344	cmd.exe	cmd.exe
PID 344 wrote to memory of 2012	344	cmd.exe	cmd.exe
PID 344 wrote to memory of 2012	344	cmd.exe	cmd.exe
PID 344 wrote to memory of 2012	344	cmd.exe	cmd.exe
PID 2012 wrote to memory of 1100	2012	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 1100	2012	cmd.exe	taskkill.exe
PID 2012 wrote to memory of 1100	2012	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 1680	1388	64new_cip8.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

64new_cip8.exe64new_cip8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip8.exe

C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe
"C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
3⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlwriter.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
2⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
3⤵
PID:1932

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
2⤵
PID:968

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
PID:1792

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
2⤵
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
3⤵
PID:1736

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
2⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
3⤵
PID:1344

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
2⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
3⤵
PID:548

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
2⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
PID:832

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
2⤵
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
PID:1260

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
2⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
3⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
2⤵
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
3⤵
PID:1056

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
2⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
3⤵
PID:1552

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe
2⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe
3⤵
PID:628

C:\Windows\system32\taskkill.exe
taskkill -f -im postgres.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
2⤵
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
3⤵
PID:568

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
4⤵
PID:1008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
5⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
2⤵
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
3⤵
PID:1768

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
4⤵
PID:1596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
5⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
2⤵
PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
3⤵
PID:1788

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
4⤵
PID:1988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
5⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
2⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
3⤵
PID:1632

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
4⤵
PID:1500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
5⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
2⤵
PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
3⤵
PID:240

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
4⤵
PID:1100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
5⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
2⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
3⤵
PID:1236

C:\Windows\system32\net.exe
net stop SQLBrowser
4⤵
PID:344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
5⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS
2⤵
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS
3⤵
PID:1452

C:\Windows\system32\net.exe
net stop ReportServer$ISARS
4⤵
PID:1076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
5⤵
PID:296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
2⤵
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
3⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
2⤵
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:1696

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1596

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe
\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe -network
2⤵
- System policy modification
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:1716

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1244 -s 1352
2⤵
- Program crash
PID:1112

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\net.exe
net stop SQLWriter
1⤵
PID:112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
2⤵
PID:2028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-77-0x0000000000000000-mapping.dmp

Download
memory/316-66-0x0000000000000000-mapping.dmp

Download
memory/344-69-0x0000000000000000-mapping.dmp

Download
memory/548-85-0x0000000000000000-mapping.dmp

Download
memory/560-92-0x0000000000000000-mapping.dmp

Download
memory/568-106-0x0000000000000000-mapping.dmp

Download
memory/576-108-0x0000000000000000-mapping.dmp

Download
memory/584-109-0x0000000000000000-mapping.dmp

Download
memory/628-103-0x0000000000000000-mapping.dmp

Download
memory/672-68-0x0000000000000000-mapping.dmp

Download
memory/708-62-0x0000000000000000-mapping.dmp

Download
memory/804-63-0x0000000000000000-mapping.dmp

Download
memory/832-88-0x0000000000000000-mapping.dmp

Download
memory/840-80-0x0000000000000000-mapping.dmp

Download
memory/968-75-0x0000000000000000-mapping.dmp

Download
memory/980-87-0x0000000000000000-mapping.dmp

Download
memory/980-117-0x0000000000000000-mapping.dmp

Download
memory/984-98-0x0000000000000000-mapping.dmp

Download
memory/1008-107-0x0000000000000000-mapping.dmp

Download
memory/1056-97-0x0000000000000000-mapping.dmp

Download
memory/1060-95-0x0000000000000000-mapping.dmp

Download
memory/1100-71-0x0000000000000000-mapping.dmp

Download
memory/1112-64-0x0000000000000000-mapping.dmp

Download
memory/1200-59-0x0000000000000000-mapping.dmp

Download
memory/1204-58-0x0000000000000000-mapping.dmp

Download
memory/1240-57-0x0000000000000000-mapping.dmp

Download
memory/1260-91-0x0000000000000000-mapping.dmp

Download
memory/1264-94-0x0000000000000000-mapping.dmp

Download
memory/1300-81-0x0000000000000000-mapping.dmp

Download
memory/1344-82-0x0000000000000000-mapping.dmp

Download
memory/1344-105-0x0000000000000000-mapping.dmp

Download
memory/1384-84-0x0000000000000000-mapping.dmp

Download
memory/1388-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1400-78-0x0000000000000000-mapping.dmp

Download
memory/1400-56-0x0000000000000000-mapping.dmp

Download
memory/1428-67-0x0000000000000000-mapping.dmp

Download
memory/1428-90-0x0000000000000000-mapping.dmp

Download
memory/1536-86-0x0000000000000000-mapping.dmp

Download
memory/1548-65-0x0000000000000000-mapping.dmp

Download
memory/1552-100-0x0000000000000000-mapping.dmp

Download
memory/1552-55-0x0000000000000000-mapping.dmp

Download
memory/1592-113-0x0000000000000000-mapping.dmp

Download
memory/1596-111-0x0000000000000000-mapping.dmp

Download
memory/1604-112-0x0000000000000000-mapping.dmp

Download
memory/1608-83-0x0000000000000000-mapping.dmp

Download
memory/1632-118-0x0000000000000000-mapping.dmp

Download
memory/1680-72-0x0000000000000000-mapping.dmp

Download
memory/1700-101-0x0000000000000000-mapping.dmp

Download
memory/1736-102-0x0000000000000000-mapping.dmp

Download
memory/1736-79-0x0000000000000000-mapping.dmp

Download
memory/1748-89-0x0000000000000000-mapping.dmp

Download
memory/1756-104-0x0000000000000000-mapping.dmp

Download
memory/1768-110-0x0000000000000000-mapping.dmp

Download
memory/1768-60-0x0000000000000000-mapping.dmp

Download
memory/1788-114-0x0000000000000000-mapping.dmp

Download
memory/1792-99-0x0000000000000000-mapping.dmp

Download
memory/1792-76-0x0000000000000000-mapping.dmp

Download
memory/1824-116-0x0000000000000000-mapping.dmp

Download
memory/1856-61-0x0000000000000000-mapping.dmp

Download
memory/1932-73-0x0000000000000000-mapping.dmp

Download
memory/1932-96-0x0000000000000000-mapping.dmp

Download
memory/1988-115-0x0000000000000000-mapping.dmp

Download
memory/2012-70-0x0000000000000000-mapping.dmp

Download
memory/2012-93-0x0000000000000000-mapping.dmp

Download
memory/2036-74-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads