c66ba850b29e7d9302621a209882a0f86bdd158faba936c7a045d82c3669bcd0

General

Target

64new_cip8.exe
Size

309KB
MD5

681ba901bb6deb49ecdc83c9e5dcc548
SHA1

5553534db3d538adab933a74e1399357616cfe4f
SHA256

c66ba850b29e7d9302621a209882a0f86bdd158faba936c7a045d82c3669bcd0
SHA512

5d0d01b68f82e96e5d872043d9274b16f4b83a7998136deb20c1d4c2e4c5be298cc786e4ae17ad7b587538ec963cc70443836a60132c000f010beb69d008fb50
SSDEEP

6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l003WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++38aw7c

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

\??\A:\!-Recovery_Instructions-!.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for pricing and decryption software.</p> <p> Contact us by email:<p> <h2>Mikesupp77@outlook.com</h2> </p>If you do not receive a response within 24 hours, please contact us at our additional contacts:</p> <p> 1) Download for TOX CHAT https://tox.chat/download.html</p> <p> 2) Open chat<p> <p>Add ID Chat: </p><h2>3C9D49B928FDC3C15F0314217623A71B865909B308576B4B0D10AEA62C98677B4A3F160D5C93</h2> <p>If we did not answer you, leave the chat enabled, the operator will contact you!<p> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> Your ID: tJXiLZa4tV1doA/amSO7ZAw75GAKzCjq5C7UL84SWLUHf7D+7PeCK2GQaWdTnxyS8rd6uQZtB1gFxQxXduxylnMZGPrzTOZS+497bdA1SQYCdRUF0H7tyO8/kAJU1XXW+pitUj2i0BzzRdhMmMKuak+pIjZJ7SrnmKcBHdpIJrVllS2hI+N13mOFcahDtXShQ3hBL3nit7c3CdJguDJPamkLrGtXqvRMYmJ2cxYWSM4AGYNC4QOfiYXsPg+S0/SnZfwKaZ/IgW2/Z1TvLRIRU28xwJ6FjvQ6v3VVJkHZdDD9qUj8/Ct/94d+s9cudwY1SORQtQu7QEFjpmth4azv0fG2j3kHWBpXr8mE67QTjj0m2bEQtbwINBzk0MecJMBy9Lt62praX0oWs+p1Pj0/x0sdA49zE03c9n2I+wncXZPKOFyeUbcXPac+roVojiDj7RwkgS7fO3xP/MkHCJ5OFtp9QYif2jzWnAgsv7lnnLYwHpWyHXl959lzNwAeCrZVt7YAqw77v9YzPGWKbCSbBF6N5XvHOCNtAcfJOu1gKFQwBZZIWrErKc1FbnLDLcaOlehe7YtqhhmVKgDpMgJRu9LTYvnMGXj2UbN4nWqe6v2Oyq6RWFlLR2uHsbN+nrTf4I/rGXdBrK+hi4FGOV8VZkmE2/Wyuj7ye4sEP4XFDOrL5JQJNTm+KjiAQQBggTdixcu3kJROCyhwXCuxnjeo6anJSdNLvZhjpzW6zglj1NMHIDz51NvnYXCJEQudcL8SamBsXUAuN15rs2JNn4aax2s1GQ3jBsPjOS80HlxIrabDrpcme77qXLJGVs3bU69O/vBaMyhqdxDGML65mLioC/QHVekMQW1b4m1pn2mju4UNMuLjKCBG/CMO7Be6DUzSdWxi/lVdYJ4VQRQBnHJjZoFqT9VOflP+rSLDWOKGfO1VhhNQRAOucAwRPLgzgfnhHgoaE8SMhB87OLlxx+XXQ0yiSP2LEHO2GxE0z3/+47mAlAlUEKEtgnin22iqKJhATXynoITUc1VT16CFIMak2yvJTbXW5YksnTYRyeKGw89DFUA4pPFN4M8FOXX6J5gkkoUSMAc7/WiQEudO6HFzAG0Tvg3bTAnYiHz85EtNi+XQXPbs9tWhs35k0hzOUqjrw3qAjWWT1Q+fONF5Xk+4ggCHaKNlWU3gC746LnoC565Ui83lg6m33U54viABj7HQZERsJSBkwDek2+tXxrx6lE65u+hkI4f4/4WM/0c82sQHCAvCcWKRCFQg1oM+qs+Dib03kmLxy41lF4H354wgsRP9Sl9zRXEW2QaRq96memUoM1r9and4Oug4mvMXA+61V9rvns2gYz5rfHvgEB3jFczWiYgGJMaJnXY+xutKJbIfDxmHhprCsffrU/aPfwy5txoltAVvws46ApI3M46cnhk5tNcNcI2Rkdu3D05XwEHErqIVDuoaIJ2BoFXVg0ch8KlgDFSiIySMmIw+Wuu2AuOTAr6I4FOsPoCDnpMWFsgkTnKdUk6wIYO05kGji3QQh6pPVqYpFK6HLW5kUVXQTo3tEhPTFsbbSVdbhoGPe/67g38GPXp0jaJfG9WPxifNK6Vghwqu/jwuoqOT6r/nF/KdzBOw0Fb1CU0QxZf5emMRs0532/WheSV3ygBmJIUJq/JXSPU/RLbcBoTwQoMDCaOd7UwrzxpylIHOxVKE0So=

Emails

<h2>Mikesupp77@outlook.com</h2>

URLs

https://tox.chat/download.html</p>

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

64new_cip8.exe

description pid process target process

PID 1568 created 2616 1568 64new_cip8.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

224 bcdedit.exe
4296 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4688 wbadmin.exe
3324 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4384 wbadmin.exe

description	pid	process	target process
PID 1568 created 2616	1568	64new_cip8.exe	Explorer.EXE

pid	process
224	bcdedit.exe
4296	bcdedit.exe

pid	process
4688	wbadmin.exe
3324	wbadmin.exe

pid	process
4384	wbadmin.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

64new_cip8.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ConvertFromRedo.crw => C:\Users\Admin\Pictures\ConvertFromRedo.crw.cipher8	64new_cip8.exe
File opened for modification	C:\Users\Admin\Pictures\ImportRedo.tiff	64new_cip8.exe
File renamed	C:\Users\Admin\Pictures\ImportRedo.tiff => C:\Users\Admin\Pictures\ImportRedo.tiff.cipher8	64new_cip8.exe
File renamed	C:\Users\Admin\Pictures\UnregisterGroup.tif => C:\Users\Admin\Pictures\UnregisterGroup.tif.cipher8	64new_cip8.exe
File renamed	C:\Users\Admin\Pictures\ConfirmPush.tif => C:\Users\Admin\Pictures\ConfirmPush.tif.cipher8	64new_cip8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

64new_cip8.exe

description	ioc	process
File opened (read-only)	\??\B:	64new_cip8.exe
File opened (read-only)	\??\G:	64new_cip8.exe
File opened (read-only)	\??\J:	64new_cip8.exe
File opened (read-only)	\??\L:	64new_cip8.exe
File opened (read-only)	\??\T:	64new_cip8.exe
File opened (read-only)	\??\W:	64new_cip8.exe
File opened (read-only)	\??\X:	64new_cip8.exe
File opened (read-only)	\??\S:	64new_cip8.exe
File opened (read-only)	\??\U:	64new_cip8.exe
File opened (read-only)	\??\F:	64new_cip8.exe
File opened (read-only)	\??\H:	64new_cip8.exe
File opened (read-only)	\??\I:	64new_cip8.exe
File opened (read-only)	\??\M:	64new_cip8.exe
File opened (read-only)	\??\P:	64new_cip8.exe
File opened (read-only)	\??\R:	64new_cip8.exe
File opened (read-only)	\??\V:	64new_cip8.exe
File opened (read-only)	\??\Z:	64new_cip8.exe
File opened (read-only)	\??\Y:	64new_cip8.exe
File opened (read-only)	\??\A:	64new_cip8.exe
File opened (read-only)	\??\E:	64new_cip8.exe
File opened (read-only)	\??\K:	64new_cip8.exe
File opened (read-only)	\??\N:	64new_cip8.exe
File opened (read-only)	\??\O:	64new_cip8.exe
File opened (read-only)	\??\Q:	64new_cip8.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1792 2616 WerFault.exe Explorer.EXE
440 4020 WerFault.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2680 vssadmin.exe

pid	pid_target	process	target process
1792	2616	WerFault.exe	Explorer.EXE
440	4020	WerFault.exe

pid	process
2680	vssadmin.exe

Kills process with taskkill 16 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4892	taskkill.exe
4460	taskkill.exe
3428	taskkill.exe
608	taskkill.exe
5072	taskkill.exe
3104	taskkill.exe
3588	taskkill.exe
2860	taskkill.exe
2784	taskkill.exe
2044	taskkill.exe
5092	taskkill.exe
4748	taskkill.exe
604	taskkill.exe
220	taskkill.exe
4072	taskkill.exe
860	taskkill.exe

Modifies registry class 2 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{AFF1FE51-F87C-449A-A316-9872D9D800F6}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

64new_cip8.exe

pid	process
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe
1568	64new_cip8.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exewbengine.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4748	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	4072	taskkill.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	5072	taskkill.exe
Token: SeDebugPrivilege	3104	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	3588	taskkill.exe
Token: SeDebugPrivilege	3428	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeBackupPrivilege	2008	vssvc.exe
Token: SeRestorePrivilege	2008	vssvc.exe
Token: SeAuditPrivilege	2008	vssvc.exe
Token: SeIncreaseQuotaPrivilege	400	WMIC.exe
Token: SeSecurityPrivilege	400	WMIC.exe
Token: SeTakeOwnershipPrivilege	400	WMIC.exe
Token: SeLoadDriverPrivilege	400	WMIC.exe
Token: SeSystemProfilePrivilege	400	WMIC.exe
Token: SeSystemtimePrivilege	400	WMIC.exe
Token: SeProfSingleProcessPrivilege	400	WMIC.exe
Token: SeIncBasePriorityPrivilege	400	WMIC.exe
Token: SeCreatePagefilePrivilege	400	WMIC.exe
Token: SeBackupPrivilege	400	WMIC.exe
Token: SeRestorePrivilege	400	WMIC.exe
Token: SeShutdownPrivilege	400	WMIC.exe
Token: SeDebugPrivilege	400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	400	WMIC.exe
Token: SeRemoteShutdownPrivilege	400	WMIC.exe
Token: SeUndockPrivilege	400	WMIC.exe
Token: SeManageVolumePrivilege	400	WMIC.exe
Token: 33	400	WMIC.exe
Token: 34	400	WMIC.exe
Token: 35	400	WMIC.exe
Token: 36	400	WMIC.exe
Token: SeBackupPrivilege	4692	wbengine.exe
Token: SeRestorePrivilege	4692	wbengine.exe
Token: SeSecurityPrivilege	4692	wbengine.exe
Token: SeShutdownPrivilege	512	explorer.exe
Token: SeCreatePagefilePrivilege	512	explorer.exe
Token: SeShutdownPrivilege	512	explorer.exe
Token: SeCreatePagefilePrivilege	512	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

explorer.exe

pid process

512 explorer.exe
512 explorer.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

explorer.exe

pid process

512 explorer.exe
512 explorer.exe

pid	process
512	explorer.exe
512	explorer.exe

pid	process
512	explorer.exe
512	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

64new_cip8.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1568 wrote to memory of 4200	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 4200	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 4200	1568	64new_cip8.exe	cmd.exe
PID 4200 wrote to memory of 2084	4200	cmd.exe	cmd.exe
PID 4200 wrote to memory of 2084	4200	cmd.exe	cmd.exe
PID 1568 wrote to memory of 3932	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 3932	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 3932	1568	64new_cip8.exe	cmd.exe
PID 3932 wrote to memory of 1528	3932	cmd.exe	cmd.exe
PID 3932 wrote to memory of 1528	3932	cmd.exe	cmd.exe
PID 1528 wrote to memory of 4748	1528	cmd.exe	taskkill.exe
PID 1528 wrote to memory of 4748	1528	cmd.exe	taskkill.exe
PID 1568 wrote to memory of 4724	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 4724	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 4724	1568	64new_cip8.exe	cmd.exe
PID 4724 wrote to memory of 3760	4724	cmd.exe	cmd.exe
PID 4724 wrote to memory of 3760	4724	cmd.exe	cmd.exe
PID 3760 wrote to memory of 4892	3760	cmd.exe	taskkill.exe
PID 3760 wrote to memory of 4892	3760	cmd.exe	taskkill.exe
PID 1568 wrote to memory of 4160	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 4160	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 4160	1568	64new_cip8.exe	cmd.exe
PID 4160 wrote to memory of 1324	4160	cmd.exe	cmd.exe
PID 4160 wrote to memory of 1324	4160	cmd.exe	cmd.exe
PID 1324 wrote to memory of 2044	1324	cmd.exe	taskkill.exe
PID 1324 wrote to memory of 2044	1324	cmd.exe	taskkill.exe
PID 1568 wrote to memory of 664	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 664	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 664	1568	64new_cip8.exe	cmd.exe
PID 664 wrote to memory of 2016	664	cmd.exe	cmd.exe
PID 664 wrote to memory of 2016	664	cmd.exe	cmd.exe
PID 2016 wrote to memory of 604	2016	cmd.exe	taskkill.exe
PID 2016 wrote to memory of 604	2016	cmd.exe	taskkill.exe
PID 1568 wrote to memory of 1644	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 1644	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 1644	1568	64new_cip8.exe	cmd.exe
PID 1644 wrote to memory of 240	1644	cmd.exe	cmd.exe
PID 1644 wrote to memory of 240	1644	cmd.exe	cmd.exe
PID 240 wrote to memory of 220	240	cmd.exe	taskkill.exe
PID 240 wrote to memory of 220	240	cmd.exe	taskkill.exe
PID 1568 wrote to memory of 2644	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 2644	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 2644	1568	64new_cip8.exe	cmd.exe
PID 2644 wrote to memory of 4240	2644	cmd.exe	cmd.exe
PID 2644 wrote to memory of 4240	2644	cmd.exe	cmd.exe
PID 4240 wrote to memory of 4072	4240	cmd.exe	taskkill.exe
PID 4240 wrote to memory of 4072	4240	cmd.exe	taskkill.exe
PID 1568 wrote to memory of 1844	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 1844	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 1844	1568	64new_cip8.exe	cmd.exe
PID 1844 wrote to memory of 3840	1844	cmd.exe	cmd.exe
PID 1844 wrote to memory of 3840	1844	cmd.exe	cmd.exe
PID 3840 wrote to memory of 4460	3840	cmd.exe	taskkill.exe
PID 3840 wrote to memory of 4460	3840	cmd.exe	taskkill.exe
PID 1568 wrote to memory of 2176	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 2176	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 2176	1568	64new_cip8.exe	cmd.exe
PID 2176 wrote to memory of 2156	2176	cmd.exe	cmd.exe
PID 2176 wrote to memory of 2156	2176	cmd.exe	cmd.exe
PID 2156 wrote to memory of 5072	2156	cmd.exe	taskkill.exe
PID 2156 wrote to memory of 5072	2156	cmd.exe	taskkill.exe
PID 1568 wrote to memory of 3440	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 3440	1568	64new_cip8.exe	cmd.exe
PID 1568 wrote to memory of 3440	1568	64new_cip8.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

64new_cip8.exe64new_cip8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip8.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe
"C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
3⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
4⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3760

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlwriter.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
3⤵
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
4⤵
PID:4376

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
3⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
4⤵
PID:1184

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
4⤵
PID:4400

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
3⤵
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
4⤵
PID:2240

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
3⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
4⤵
PID:796

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
3⤵
PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
4⤵
PID:2020

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe
3⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe
4⤵
PID:4860

C:\Windows\system32\taskkill.exe
taskkill -f -im postgres.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
3⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
4⤵
PID:2440

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
5⤵
PID:4604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
6⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
3⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
4⤵
PID:4932

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
5⤵
PID:4744

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
6⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
3⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
4⤵
PID:4644

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
5⤵
PID:1600

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
6⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
3⤵
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
4⤵
PID:4628

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
5⤵
PID:2080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
6⤵
PID:4952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
3⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
4⤵
PID:2488

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
5⤵
PID:3640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
6⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
3⤵
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
4⤵
PID:224

C:\Windows\system32\net.exe
net stop SQLBrowser
5⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS
3⤵
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS
4⤵
PID:1676

C:\Windows\system32\net.exe
net stop ReportServer$ISARS
5⤵
PID:1300

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
6⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
3⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
4⤵
PID:3656

C:\Windows\system32\net.exe
net stop SQLWriter
5⤵
PID:1948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
6⤵
PID:512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
4⤵
PID:4032

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet
3⤵
PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersions:0 -quiet
4⤵
PID:4744

C:\Windows\system32\wbadmin.exe
wbadmin delete backup -keepVersions:0 -quiet
5⤵
- Deletes system backups
- Drops file in Windows directory
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
4⤵
PID:4684

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
5⤵
- Deletes System State backups
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
3⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
4⤵
PID:3500

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
3⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No
3⤵
PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoveryenabled No
4⤵
PID:100

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled No
5⤵
- Modifies boot configuration data using bcdedit
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
4⤵
PID:1148

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:4296

C:\Windows\SysWOW64\cipher.exe
cipher /w:\\?\C:
3⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe
\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip8.exe -network
2⤵
- System policy modification
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:1028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2616 -s 3484
2⤵
- Program crash
PID:1792

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
1⤵
PID:208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 2616 -ip 2616
1⤵
PID:1624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
1⤵
PID:4580

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
2⤵
- Deletes System State backups
PID:3324

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4956

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:4776

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:512