67786dd4e0afdd952b6a6161e86b21ca453ba5963f100afef802cc0a734d4625

General

Target

64new_cip7.exe
Size

309KB
MD5

333e965aedff914fb6cb49938097bfd7
SHA1

27633cf2b66d46639ddd4e45e915d7201d5964ae
SHA256

67786dd4e0afdd952b6a6161e86b21ca453ba5963f100afef802cc0a734d4625
SHA512

e5a6c286b5e74d926963aa41f2d74a600fb93f2a05b164c1e05424b5090af2496bbea1ffa852728f7c85e13f161b3c2079e58dbfb4a44f804e292c06997b1de7
SSDEEP

6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0J3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3xaw7c

Score

10^/10

ransomware

Malware Config

Extracted

Path

\??\A:\!-Recovery_Instructions-!.html

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1'> <title></title> <style> html, body { background-color: #1a1a1a; } body { padding-top: 1rem !important; font-size: 1.3rem; color: white; } #text h2 { font-size: 2rem; font-weight: 600; line-height: 1.125; } .container { max-width: 1152px; flex-grow: 1; margin: 0 auto; position: relative; width: auto; } .box { background-color: #242424; display: block; padding: 1.25rem; border: 1px solid #303030; } a { color: #00b4d8; text-decoration: none; } a:hover { text-decoration: underline; } li { margin-bottom: 10px; } </style> </head> <body> <div class='container'> <div class='box'> <div id='text'> <h2>If you get this message, your network was hacked!</h2> <p>After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.</p> <p>That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.</p> <p>We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.</p> <p>Make sure to act within <span style='color:#f4a261;'>72</span> hours or the negotiations will be considered failed!</p> <p>Inform your superior management about what's going on.</p> <p> Contact us for pricing and decryption software.</p> <p> Contact us by email:<p> <h2>Mikesupp77@outlook.com</h2> </p>If you do not receive a response within 24 hours, please contact us at our additional contacts:</p> <p> 1) Download for TOX CHAT https://tox.chat/download.html</p> <p> 2) Open chat<p> <p>Add ID Chat: </p><h2>3C9D49B928FDC3C15F0314217623A71B865909B308576B4B0D10AEA62C98677B4A3F160D5C93</h2> <p>If we did not answer you, leave the chat enabled, the operator will contact you!<p> </p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p> <h2>If you and us succeed the negotiations we will grant you:</h2> <ul> <li>complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.</li> <li>comprehensive information about vulnerabilities of your network and security report.</li> <li>software and instructions to decrypt all the data that was encrypted.</li> <li>all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.</li> </ul> <h2>Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:</h2> <ul> <li>inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.</li> <li>inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.</li> <li>start DDOS attack on you website and infrastructures.</li> <li>personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.</li> <li>publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.</li> </ul> <h2>Why pay us?</h2> <p>We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.</p> <p>Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.</p> <h2>Your personal ID</p> Your ID: ad/aZHzouHs3w9DrAkSyAiG/beiATTjYbEoRmT0xgjm47nL2s7hgG0m2GddyBzRrPZ7C8ga9YaxzF98owAUuY3dNwaRlHbaPAFkH6VfxfIqQ7bc5wLhNc4urvwWV0oPFk6KwMTm8kLq25SOXBoUdaeP5Gn63WZshDOyDfJzgkuTZI7/oY+9PcXdQzt2OSklbDq8XxTpIl+QHpuTSq2Kzfl4IJWbcBCaAAfjq06WRblXzIhGNS4iDRfKa7bq0S9ii3EWwzNicIlvgRtTrSiCQGB0TR+VNLigPWSz8dnmsaNTmd28rz28H2PBaKLas9hQEsRbhZxUvT2lsN02BCwEqtwfwUCgvtugk6TSrPWELJk5R5U6YgvypP67fmABmQAuAIGiVPms1ojo0tQqMouZOI67k4gSiSwR4xuXwWBml4V80uO75JOShG9gfrZPGiJy5M8RtUZ1PgRYpgCS++woVh+7BanSPIxobQj0SRcan9LrQ5WTVZyRo5sjLBfiai5bcQzGJ9tGCQNDzkjKpcZibpimwVoUuvVCshs40IjFjrrpi62lX3dFsfjNXZurbbh1sAWd5S5oyfno8fQB/TSnnlJq6/Qa+3bDPHqyWurcnJeEenArhvWOnWaUPOCC1qV7sCnZ7LEOyNp2CCiEXCg0nKQ7I+Eq382oRpg1TWBRPmmOpVCQAGxuTjCwIk2MmqeanosCg3PKRr1ms23K6oqDhTavhMxPBs2nU3k30WxowCqkgbPpIVXc6XVUP+RfIMlYGrtohG9XDYerX7IibvbX9G4wPSucNqHo9tZRf2oIEHIkCSvVVngHG/Tz9/qDQVzXjUt/EBazx/1zTWppC3PP+piacF9Ub0d1GRDuvTeI0BLsuwZYTWfNmUKS31iOBM3+1s+h7To6cZ5FokfnYPCtBNbcB06fTlaxuDu2tTR6jkLhawxXBrNzDFD2LfvDMLa2WAfFf168oIBQs/+QSzdSVzL/p3qKgzCldPb6rXPUuSIvcwdmxJHZ+PJ6Pvz+RphMH9VAIstjcQ65SoilzS7IwmSK7nVTYSophHNUpSM30BrUsDWiPpkdPJU/R/Q/Y/LAGHYgheYKB9y7dWE+b0zbmj0DzaReyGDqgtQ5MeAd+Q/6wMtFTy1sslRdAbYW4AyRs8KwQqcBlmCqJlFp9gIS1uCsvwZDeRT8SVBYRHfGCJunKaJRHR+0BJ4siia9TZRNPcxYdLtg11OoPuZxrk3QFHbGu9+KzHNF70SJx0ppAnnrzUa+stdEyqr24HDr4h950SlKa8S4qDovEuiofS4Vi7l8MO39TE3lZITs4yN2bGK8Lx3tn5ekRlWInbn/sEHoYr5Rz5bYBzn7OvHFI6VutmJ3SdBRELQUREUlz9SJbDUzUQmnuX25JWJxr1ZNybqzhF+02IJXUsW99wjKBuRCYW10/22UU+6WmezwXOKy72J4oMXO7qiw4qTNcMw+rFHRfwvEBUQMg9QZwunpq4xgM9AljvG8zgxEctYS/5q+Yshmcu8IwjUXC26b/sGhJmpChSinFl/B/4mxkqId+qbFbtHXkUy13MPHFwtY33xvpTtfigEQ+RDQpEYsjGROT8Td7i/+8IrHIfJYbyOcGtkShSs/rzxlTcDpe/BYOn4tuenBKXxg5QSiUPpMerJ6UYmPBC2/mkJBmVfNVxPh5z3qxJ+wnjV3i5Q7zHB4io2Vvvd4=

Emails

<h2>Mikesupp77@outlook.com</h2>

URLs

https://tox.chat/download.html</p>

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

64new_cip7.exe

description pid process target process

PID 5116 created 3092 5116 64new_cip7.exe Explorer.EXE

description	pid	process	target process
PID 5116 created 3092	5116	64new_cip7.exe	Explorer.EXE

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

64new_cip7.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\OpenApprove.tiff	64new_cip7.exe
File opened for modification	C:\Users\Admin\Pictures\ResetMount.tiff	64new_cip7.exe
File renamed	C:\Users\Admin\Pictures\ResetMount.tiff => C:\Users\Admin\Pictures\ResetMount.tiff.cipher7	64new_cip7.exe
File renamed	C:\Users\Admin\Pictures\WriteRemove.raw => C:\Users\Admin\Pictures\WriteRemove.raw.cipher7	64new_cip7.exe
File renamed	C:\Users\Admin\Pictures\MeasureUnlock.raw => C:\Users\Admin\Pictures\MeasureUnlock.raw.cipher7	64new_cip7.exe
File renamed	C:\Users\Admin\Pictures\OpenApprove.tiff => C:\Users\Admin\Pictures\OpenApprove.tiff.cipher7	64new_cip7.exe
File renamed	C:\Users\Admin\Pictures\OpenRestore.crw => C:\Users\Admin\Pictures\OpenRestore.crw.cipher7	64new_cip7.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveWrite.tiff	64new_cip7.exe
File renamed	C:\Users\Admin\Pictures\ReceiveWrite.tiff => C:\Users\Admin\Pictures\ReceiveWrite.tiff.cipher7	64new_cip7.exe
File renamed	C:\Users\Admin\Pictures\LimitRemove.crw => C:\Users\Admin\Pictures\LimitRemove.crw.cipher7	64new_cip7.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

64new_cip7.exe

description	ioc	process
File opened (read-only)	\??\E:	64new_cip7.exe
File opened (read-only)	\??\F:	64new_cip7.exe
File opened (read-only)	\??\O:	64new_cip7.exe
File opened (read-only)	\??\P:	64new_cip7.exe
File opened (read-only)	\??\Q:	64new_cip7.exe
File opened (read-only)	\??\T:	64new_cip7.exe
File opened (read-only)	\??\V:	64new_cip7.exe
File opened (read-only)	\??\A:	64new_cip7.exe
File opened (read-only)	\??\H:	64new_cip7.exe
File opened (read-only)	\??\I:	64new_cip7.exe
File opened (read-only)	\??\K:	64new_cip7.exe
File opened (read-only)	\??\M:	64new_cip7.exe
File opened (read-only)	\??\R:	64new_cip7.exe
File opened (read-only)	\??\W:	64new_cip7.exe
File opened (read-only)	\??\X:	64new_cip7.exe
File opened (read-only)	\??\G:	64new_cip7.exe
File opened (read-only)	\??\Z:	64new_cip7.exe
File opened (read-only)	\??\N:	64new_cip7.exe
File opened (read-only)	\??\Y:	64new_cip7.exe
File opened (read-only)	\??\J:	64new_cip7.exe
File opened (read-only)	\??\L:	64new_cip7.exe
File opened (read-only)	\??\S:	64new_cip7.exe
File opened (read-only)	\??\U:	64new_cip7.exe
File opened (read-only)	\??\B:	64new_cip7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

568 3092 WerFault.exe Explorer.EXE
3308 3092 WerFault.exe Explorer.EXE
5036 3652 WerFault.exe
1340 3652 WerFault.exe

pid	pid_target	process	target process
568	3092	WerFault.exe	Explorer.EXE
3308	3092	WerFault.exe	Explorer.EXE
5036	3652	WerFault.exe
1340	3652	WerFault.exe

Kills process with taskkill 16 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3632	taskkill.exe
3676	taskkill.exe
768	taskkill.exe
4376	taskkill.exe
2340	taskkill.exe
4496	taskkill.exe
5068	taskkill.exe
5036	taskkill.exe
116	taskkill.exe
5024	taskkill.exe
4192	taskkill.exe
1640	taskkill.exe
4152	taskkill.exe
2308	taskkill.exe
1448	taskkill.exe
1456	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

64new_cip7.exe

pid	process
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe
5116	64new_cip7.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	116	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	2340	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	1456	taskkill.exe
Token: SeDebugPrivilege	3676	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

64new_cip7.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5116 wrote to memory of 2256	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 2256	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 2256	5116	64new_cip7.exe	cmd.exe
PID 2256 wrote to memory of 4564	2256	cmd.exe	cmd.exe
PID 2256 wrote to memory of 4564	2256	cmd.exe	cmd.exe
PID 5116 wrote to memory of 5044	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 5044	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 5044	5116	64new_cip7.exe	cmd.exe
PID 5044 wrote to memory of 5004	5044	cmd.exe	cmd.exe
PID 5044 wrote to memory of 5004	5044	cmd.exe	cmd.exe
PID 5004 wrote to memory of 4192	5004	cmd.exe	taskkill.exe
PID 5004 wrote to memory of 4192	5004	cmd.exe	taskkill.exe
PID 5116 wrote to memory of 1288	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 1288	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 1288	5116	64new_cip7.exe	cmd.exe
PID 1288 wrote to memory of 3428	1288	cmd.exe	cmd.exe
PID 1288 wrote to memory of 3428	1288	cmd.exe	cmd.exe
PID 3428 wrote to memory of 1640	3428	cmd.exe	taskkill.exe
PID 3428 wrote to memory of 1640	3428	cmd.exe	taskkill.exe
PID 5116 wrote to memory of 2356	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 2356	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 2356	5116	64new_cip7.exe	cmd.exe
PID 2356 wrote to memory of 1748	2356	cmd.exe	cmd.exe
PID 2356 wrote to memory of 1748	2356	cmd.exe	cmd.exe
PID 1748 wrote to memory of 768	1748	cmd.exe	taskkill.exe
PID 1748 wrote to memory of 768	1748	cmd.exe	taskkill.exe
PID 5116 wrote to memory of 996	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 996	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 996	5116	64new_cip7.exe	cmd.exe
PID 996 wrote to memory of 220	996	cmd.exe	cmd.exe
PID 996 wrote to memory of 220	996	cmd.exe	cmd.exe
PID 220 wrote to memory of 116	220	cmd.exe	taskkill.exe
PID 220 wrote to memory of 116	220	cmd.exe	taskkill.exe
PID 5116 wrote to memory of 2144	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 2144	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 2144	5116	64new_cip7.exe	cmd.exe
PID 2144 wrote to memory of 3168	2144	cmd.exe	cmd.exe
PID 2144 wrote to memory of 3168	2144	cmd.exe	cmd.exe
PID 3168 wrote to memory of 4152	3168	cmd.exe	taskkill.exe
PID 3168 wrote to memory of 4152	3168	cmd.exe	taskkill.exe
PID 5116 wrote to memory of 3004	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 3004	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 3004	5116	64new_cip7.exe	cmd.exe
PID 3004 wrote to memory of 3808	3004	cmd.exe	cmd.exe
PID 3004 wrote to memory of 3808	3004	cmd.exe	cmd.exe
PID 3808 wrote to memory of 2308	3808	cmd.exe	taskkill.exe
PID 3808 wrote to memory of 2308	3808	cmd.exe	taskkill.exe
PID 5116 wrote to memory of 4612	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 4612	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 4612	5116	64new_cip7.exe	cmd.exe
PID 4612 wrote to memory of 4372	4612	cmd.exe	cmd.exe
PID 4612 wrote to memory of 4372	4612	cmd.exe	cmd.exe
PID 4372 wrote to memory of 4376	4372	cmd.exe	taskkill.exe
PID 4372 wrote to memory of 4376	4372	cmd.exe	taskkill.exe
PID 5116 wrote to memory of 372	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 372	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 372	5116	64new_cip7.exe	cmd.exe
PID 372 wrote to memory of 964	372	cmd.exe	cmd.exe
PID 372 wrote to memory of 964	372	cmd.exe	cmd.exe
PID 964 wrote to memory of 5024	964	cmd.exe	taskkill.exe
PID 964 wrote to memory of 5024	964	cmd.exe	taskkill.exe
PID 5116 wrote to memory of 2488	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 2488	5116	64new_cip7.exe	cmd.exe
PID 5116 wrote to memory of 2488	5116	64new_cip7.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

64new_cip7.exe64new_cip7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	64new_cip7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	64new_cip7.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe
"C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
3⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
4⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlwriter.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
3⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
4⤵
PID:4480

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
3⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
4⤵
PID:4452

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
PID:4180

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
3⤵
PID:1276

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe
4⤵
PID:4148

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlservr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
3⤵
PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
4⤵
PID:4492

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
3⤵
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
4⤵
PID:3520

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
3⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
4⤵
PID:2228

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe
3⤵
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe
4⤵
PID:3992

C:\Windows\system32\taskkill.exe
taskkill -f -im postgres.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
3⤵
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
4⤵
PID:1260

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
5⤵
PID:4932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
6⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
3⤵
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
4⤵
PID:4380

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
5⤵
PID:1272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
6⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
3⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
4⤵
PID:648

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
5⤵
PID:1104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
6⤵
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
3⤵
PID:892

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
4⤵
PID:220

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
5⤵
PID:116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
6⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
3⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
4⤵
PID:3664

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
5⤵
PID:4292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
6⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
3⤵
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
4⤵
PID:4316

C:\Windows\system32\net.exe
net stop SQLBrowser
5⤵
PID:4416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
6⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS
3⤵
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS
4⤵
PID:3816

C:\Windows\system32\net.exe
net stop ReportServer$ISARS
5⤵
PID:2064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop ReportServer$ISARS
6⤵
PID:4200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
3⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
4⤵
PID:4784

C:\Windows\system32\net.exe
net stop SQLWriter
5⤵
PID:964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
6⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe
\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip7.exe -network
2⤵
- System policy modification
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:4516

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3092 -s 1324
2⤵
- Program crash
PID:568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3092 -s 1324
2⤵
- Program crash
PID:3308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3652 -ip 3652
1⤵
PID:3568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3092 -ip 3092
1⤵
PID:4264

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3652 -s 4740
1⤵
- Program crash
PID:5036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3652 -s 4740
1⤵
- Program crash
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/116-195-0x0000000000000000-mapping.dmp

Download
memory/116-145-0x0000000000000000-mapping.dmp

Download
memory/220-194-0x0000000000000000-mapping.dmp

Download
memory/220-144-0x0000000000000000-mapping.dmp

Download
memory/372-155-0x0000000000000000-mapping.dmp

Download
memory/384-161-0x0000000000000000-mapping.dmp

Download
memory/636-184-0x0000000000000000-mapping.dmp

Download
memory/648-190-0x0000000000000000-mapping.dmp

Download
memory/768-142-0x0000000000000000-mapping.dmp

Download
memory/892-193-0x0000000000000000-mapping.dmp

Download
memory/964-156-0x0000000000000000-mapping.dmp

Download
memory/996-143-0x0000000000000000-mapping.dmp

Download
memory/1104-191-0x0000000000000000-mapping.dmp

Download
memory/1256-192-0x0000000000000000-mapping.dmp

Download
memory/1260-182-0x0000000000000000-mapping.dmp

Download
memory/1272-187-0x0000000000000000-mapping.dmp

Download
memory/1276-167-0x0000000000000000-mapping.dmp

Download
memory/1288-137-0x0000000000000000-mapping.dmp

Download
memory/1448-169-0x0000000000000000-mapping.dmp

Download
memory/1456-172-0x0000000000000000-mapping.dmp

Download
memory/1640-139-0x0000000000000000-mapping.dmp

Download
memory/1740-189-0x0000000000000000-mapping.dmp

Download
memory/1748-141-0x0000000000000000-mapping.dmp

Download
memory/2144-146-0x0000000000000000-mapping.dmp

Download
memory/2228-177-0x0000000000000000-mapping.dmp

Download
memory/2256-132-0x0000000000000000-mapping.dmp

Download
memory/2308-151-0x0000000000000000-mapping.dmp

Download
memory/2340-160-0x0000000000000000-mapping.dmp

Download
memory/2356-140-0x0000000000000000-mapping.dmp

Download
memory/2488-158-0x0000000000000000-mapping.dmp

Download
memory/3004-149-0x0000000000000000-mapping.dmp

Download
memory/3168-147-0x0000000000000000-mapping.dmp

Download
memory/3188-173-0x0000000000000000-mapping.dmp

Download
memory/3428-138-0x0000000000000000-mapping.dmp

Download
memory/3520-174-0x0000000000000000-mapping.dmp

Download
memory/3584-188-0x0000000000000000-mapping.dmp

Download
memory/3632-163-0x0000000000000000-mapping.dmp

Download
memory/3676-175-0x0000000000000000-mapping.dmp

Download
memory/3776-164-0x0000000000000000-mapping.dmp

Download
memory/3808-150-0x0000000000000000-mapping.dmp

Download
memory/4036-179-0x0000000000000000-mapping.dmp

Download
memory/4148-168-0x0000000000000000-mapping.dmp

Download
memory/4152-148-0x0000000000000000-mapping.dmp

Download
memory/4168-170-0x0000000000000000-mapping.dmp

Download
memory/4180-165-0x0000000000000000-mapping.dmp

Download
memory/4192-136-0x0000000000000000-mapping.dmp

Download
memory/4264-176-0x0000000000000000-mapping.dmp

Download
memory/4372-153-0x0000000000000000-mapping.dmp

Download
memory/4376-154-0x0000000000000000-mapping.dmp

Download
memory/4380-186-0x0000000000000000-mapping.dmp

Download
memory/4392-181-0x0000000000000000-mapping.dmp

Download
memory/4452-162-0x0000000000000000-mapping.dmp

Download
memory/4480-159-0x0000000000000000-mapping.dmp

Download
memory/4492-171-0x0000000000000000-mapping.dmp

Download
memory/4496-166-0x0000000000000000-mapping.dmp

Download
memory/4564-133-0x0000000000000000-mapping.dmp

Download
memory/4612-152-0x0000000000000000-mapping.dmp

Download
memory/4932-183-0x0000000000000000-mapping.dmp

Download
memory/5004-135-0x0000000000000000-mapping.dmp

Download
memory/5024-157-0x0000000000000000-mapping.dmp

Download
memory/5036-180-0x0000000000000000-mapping.dmp

Download
memory/5044-185-0x0000000000000000-mapping.dmp

Download
memory/5044-134-0x0000000000000000-mapping.dmp

Download
memory/5068-178-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads