Analysis
-
max time kernel
136s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip7.exe
Resource
win10v2004-20220812-en
General
-
Target
64new_cip7.exe
-
Size
309KB
-
MD5
333e965aedff914fb6cb49938097bfd7
-
SHA1
27633cf2b66d46639ddd4e45e915d7201d5964ae
-
SHA256
67786dd4e0afdd952b6a6161e86b21ca453ba5963f100afef802cc0a734d4625
-
SHA512
e5a6c286b5e74d926963aa41f2d74a600fb93f2a05b164c1e05424b5090af2496bbea1ffa852728f7c85e13f161b3c2079e58dbfb4a44f804e292c06997b1de7
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0J3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3xaw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip7.exedescription pid process target process PID 1952 created 1324 1952 64new_cip7.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip7.exedescription ioc process File renamed C:\Users\Admin\Pictures\UndoDebug.tiff => C:\Users\Admin\Pictures\UndoDebug.tiff.cipher7 64new_cip7.exe File renamed C:\Users\Admin\Pictures\GrantSelect.raw => C:\Users\Admin\Pictures\GrantSelect.raw.cipher7 64new_cip7.exe File opened for modification C:\Users\Admin\Pictures\UndoDebug.tiff 64new_cip7.exe File renamed C:\Users\Admin\Pictures\StopOut.tif => C:\Users\Admin\Pictures\StopOut.tif.cipher7 64new_cip7.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip7.exedescription ioc process File opened (read-only) \??\X: 64new_cip7.exe File opened (read-only) \??\E: 64new_cip7.exe File opened (read-only) \??\I: 64new_cip7.exe File opened (read-only) \??\P: 64new_cip7.exe File opened (read-only) \??\K: 64new_cip7.exe File opened (read-only) \??\M: 64new_cip7.exe File opened (read-only) \??\U: 64new_cip7.exe File opened (read-only) \??\W: 64new_cip7.exe File opened (read-only) \??\A: 64new_cip7.exe File opened (read-only) \??\B: 64new_cip7.exe File opened (read-only) \??\G: 64new_cip7.exe File opened (read-only) \??\O: 64new_cip7.exe File opened (read-only) \??\S: 64new_cip7.exe File opened (read-only) \??\T: 64new_cip7.exe File opened (read-only) \??\V: 64new_cip7.exe File opened (read-only) \??\Y: 64new_cip7.exe File opened (read-only) \??\F: 64new_cip7.exe File opened (read-only) \??\H: 64new_cip7.exe File opened (read-only) \??\N: 64new_cip7.exe File opened (read-only) \??\Z: 64new_cip7.exe File opened (read-only) \??\R: 64new_cip7.exe File opened (read-only) \??\J: 64new_cip7.exe File opened (read-only) \??\L: 64new_cip7.exe File opened (read-only) \??\Q: 64new_cip7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1516 1324 WerFault.exe Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1572 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1724 taskkill.exe 1408 taskkill.exe 1928 taskkill.exe 812 taskkill.exe 1508 taskkill.exe 1936 taskkill.exe 1476 taskkill.exe 1124 taskkill.exe 2040 taskkill.exe 524 taskkill.exe 1888 taskkill.exe 960 taskkill.exe 1156 taskkill.exe 1260 taskkill.exe 1228 taskkill.exe 1240 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
64new_cip7.exepid process 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe 1952 64new_cip7.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1888 taskkill.exe Token: SeDebugPrivilege 812 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 1936 taskkill.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 960 taskkill.exe Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 1408 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe Token: SeDebugPrivilege 1260 taskkill.exe Token: SeDebugPrivilege 1124 taskkill.exe Token: SeDebugPrivilege 1228 taskkill.exe Token: SeDebugPrivilege 1240 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 2040 taskkill.exe Token: SeDebugPrivilege 524 taskkill.exe Token: SeBackupPrivilege 1432 vssvc.exe Token: SeRestorePrivilege 1432 vssvc.exe Token: SeAuditPrivilege 1432 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip7.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1952 wrote to memory of 940 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 940 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 940 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 940 1952 64new_cip7.exe cmd.exe PID 940 wrote to memory of 1076 940 cmd.exe cmd.exe PID 940 wrote to memory of 1076 940 cmd.exe cmd.exe PID 940 wrote to memory of 1076 940 cmd.exe cmd.exe PID 940 wrote to memory of 1076 940 cmd.exe cmd.exe PID 1952 wrote to memory of 1892 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 1892 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 1892 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 1892 1952 64new_cip7.exe cmd.exe PID 1892 wrote to memory of 816 1892 cmd.exe cmd.exe PID 1892 wrote to memory of 816 1892 cmd.exe cmd.exe PID 1892 wrote to memory of 816 1892 cmd.exe cmd.exe PID 1892 wrote to memory of 816 1892 cmd.exe cmd.exe PID 816 wrote to memory of 1888 816 cmd.exe taskkill.exe PID 816 wrote to memory of 1888 816 cmd.exe taskkill.exe PID 816 wrote to memory of 1888 816 cmd.exe taskkill.exe PID 1952 wrote to memory of 768 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 768 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 768 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 768 1952 64new_cip7.exe cmd.exe PID 768 wrote to memory of 1044 768 cmd.exe cmd.exe PID 768 wrote to memory of 1044 768 cmd.exe cmd.exe PID 768 wrote to memory of 1044 768 cmd.exe cmd.exe PID 768 wrote to memory of 1044 768 cmd.exe cmd.exe PID 1044 wrote to memory of 812 1044 cmd.exe taskkill.exe PID 1044 wrote to memory of 812 1044 cmd.exe taskkill.exe PID 1044 wrote to memory of 812 1044 cmd.exe taskkill.exe PID 1952 wrote to memory of 1540 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 1540 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 1540 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 1540 1952 64new_cip7.exe cmd.exe PID 1540 wrote to memory of 1492 1540 cmd.exe cmd.exe PID 1540 wrote to memory of 1492 1540 cmd.exe cmd.exe PID 1540 wrote to memory of 1492 1540 cmd.exe cmd.exe PID 1540 wrote to memory of 1492 1540 cmd.exe cmd.exe PID 1492 wrote to memory of 1508 1492 cmd.exe taskkill.exe PID 1492 wrote to memory of 1508 1492 cmd.exe taskkill.exe PID 1492 wrote to memory of 1508 1492 cmd.exe taskkill.exe PID 1952 wrote to memory of 1056 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 1056 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 1056 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 1056 1952 64new_cip7.exe cmd.exe PID 1056 wrote to memory of 1820 1056 cmd.exe cmd.exe PID 1056 wrote to memory of 1820 1056 cmd.exe cmd.exe PID 1056 wrote to memory of 1820 1056 cmd.exe cmd.exe PID 1056 wrote to memory of 1820 1056 cmd.exe cmd.exe PID 1820 wrote to memory of 1936 1820 cmd.exe taskkill.exe PID 1820 wrote to memory of 1936 1820 cmd.exe taskkill.exe PID 1820 wrote to memory of 1936 1820 cmd.exe taskkill.exe PID 1952 wrote to memory of 608 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 608 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 608 1952 64new_cip7.exe cmd.exe PID 1952 wrote to memory of 608 1952 64new_cip7.exe cmd.exe PID 608 wrote to memory of 1496 608 cmd.exe cmd.exe PID 608 wrote to memory of 1496 608 cmd.exe cmd.exe PID 608 wrote to memory of 1496 608 cmd.exe cmd.exe PID 608 wrote to memory of 1496 608 cmd.exe cmd.exe PID 1496 wrote to memory of 1724 1496 cmd.exe taskkill.exe PID 1496 wrote to memory of 1724 1496 cmd.exe taskkill.exe PID 1496 wrote to memory of 1724 1496 cmd.exe taskkill.exe PID 1952 wrote to memory of 328 1952 64new_cip7.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip7.exe64new_cip7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip7.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1324 -s 26882⤵
- Program crash
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW1⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/328-72-0x0000000000000000-mapping.dmp
-
memory/432-113-0x0000000000000000-mapping.dmp
-
memory/524-104-0x0000000000000000-mapping.dmp
-
memory/528-109-0x0000000000000000-mapping.dmp
-
memory/532-100-0x0000000000000000-mapping.dmp
-
memory/608-69-0x0000000000000000-mapping.dmp
-
memory/768-60-0x0000000000000000-mapping.dmp
-
memory/804-117-0x0000000000000000-mapping.dmp
-
memory/812-62-0x0000000000000000-mapping.dmp
-
memory/816-58-0x0000000000000000-mapping.dmp
-
memory/920-82-0x0000000000000000-mapping.dmp
-
memory/940-55-0x0000000000000000-mapping.dmp
-
memory/960-74-0x0000000000000000-mapping.dmp
-
memory/984-85-0x0000000000000000-mapping.dmp
-
memory/1044-61-0x0000000000000000-mapping.dmp
-
memory/1056-66-0x0000000000000000-mapping.dmp
-
memory/1076-56-0x0000000000000000-mapping.dmp
-
memory/1088-112-0x0000000000000000-mapping.dmp
-
memory/1120-99-0x0000000000000000-mapping.dmp
-
memory/1124-89-0x0000000000000000-mapping.dmp
-
memory/1156-77-0x0000000000000000-mapping.dmp
-
memory/1228-92-0x0000000000000000-mapping.dmp
-
memory/1240-95-0x0000000000000000-mapping.dmp
-
memory/1252-78-0x0000000000000000-mapping.dmp
-
memory/1260-86-0x0000000000000000-mapping.dmp
-
memory/1312-105-0x0000000000000000-mapping.dmp
-
memory/1404-91-0x0000000000000000-mapping.dmp
-
memory/1404-118-0x0000000000000000-mapping.dmp
-
memory/1408-80-0x0000000000000000-mapping.dmp
-
memory/1460-97-0x0000000000000000-mapping.dmp
-
memory/1476-83-0x0000000000000000-mapping.dmp
-
memory/1492-64-0x0000000000000000-mapping.dmp
-
memory/1496-70-0x0000000000000000-mapping.dmp
-
memory/1496-93-0x0000000000000000-mapping.dmp
-
memory/1508-65-0x0000000000000000-mapping.dmp
-
memory/1516-84-0x0000000000000000-mapping.dmp
-
memory/1516-110-0x0000000000000000-mapping.dmp
-
memory/1540-108-0x0000000000000000-mapping.dmp
-
memory/1540-63-0x0000000000000000-mapping.dmp
-
memory/1592-111-0x0000000000000000-mapping.dmp
-
memory/1600-114-0x0000000000000000-mapping.dmp
-
memory/1700-88-0x0000000000000000-mapping.dmp
-
memory/1712-76-0x0000000000000000-mapping.dmp
-
memory/1724-71-0x0000000000000000-mapping.dmp
-
memory/1744-75-0x0000000000000000-mapping.dmp
-
memory/1764-94-0x0000000000000000-mapping.dmp
-
memory/1768-73-0x0000000000000000-mapping.dmp
-
memory/1768-96-0x0000000000000000-mapping.dmp
-
memory/1808-107-0x0000000000000000-mapping.dmp
-
memory/1820-90-0x0000000000000000-mapping.dmp
-
memory/1820-67-0x0000000000000000-mapping.dmp
-
memory/1832-106-0x0000000000000000-mapping.dmp
-
memory/1844-81-0x0000000000000000-mapping.dmp
-
memory/1888-59-0x0000000000000000-mapping.dmp
-
memory/1892-57-0x0000000000000000-mapping.dmp
-
memory/1904-87-0x0000000000000000-mapping.dmp
-
memory/1928-98-0x0000000000000000-mapping.dmp
-
memory/1936-68-0x0000000000000000-mapping.dmp
-
memory/1936-116-0x0000000000000000-mapping.dmp
-
memory/1952-54-0x0000000075981000-0x0000000075983000-memory.dmpFilesize
8KB
-
memory/1968-115-0x0000000000000000-mapping.dmp
-
memory/2000-102-0x0000000000000000-mapping.dmp
-
memory/2004-79-0x0000000000000000-mapping.dmp
-
memory/2012-103-0x0000000000000000-mapping.dmp
-
memory/2040-101-0x0000000000000000-mapping.dmp