Resubmissions
29-11-2022 11:01
221129-m4pchsce59 10Analysis
-
max time kernel
138s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
64new_cip9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
64new_cip9.exe
Resource
win10v2004-20220812-en
General
-
Target
64new_cip9.exe
-
Size
309KB
-
MD5
a2549904086d3b6ff7373d51125e37ca
-
SHA1
af1831807435e933a74d53331e62c14a338d725a
-
SHA256
e836ad26b795c877d4c6d921a1dec9a94665c9da0236133c1fca312db6aea6bf
-
SHA512
2b64ff78f2b47e14546ca7b1d75a47d0555e93bd2843424b22084eb2a4d070d0cb7c0e1715d859c0848c86ee0afa60efacd9cf08fbfb6ee1ffabc1f8791db785
-
SSDEEP
6144:vPLavV9JccWJzcwYuUxhCKrSjZ5pjedRYc4ihyYr+3l0n3WtCyaw7c:v+vV9CZMuUxhC6SjZfjeu++3/aw7c
Malware Config
Extracted
\??\A:\!-Recovery_Instructions-!.html
<h2>Mikesupp77@outlook.com</h2>
https://tox.chat/download.html</p>
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
64new_cip9.exedescription pid process target process PID 1976 created 1400 1976 64new_cip9.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
64new_cip9.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertFromWrite.raw => C:\Users\Admin\Pictures\ConvertFromWrite.raw.cipher9 64new_cip9.exe File renamed C:\Users\Admin\Pictures\RenameRedo.png => C:\Users\Admin\Pictures\RenameRedo.png.cipher9 64new_cip9.exe File renamed C:\Users\Admin\Pictures\SelectUnprotect.raw => C:\Users\Admin\Pictures\SelectUnprotect.raw.cipher9 64new_cip9.exe File renamed C:\Users\Admin\Pictures\UnprotectResolve.raw => C:\Users\Admin\Pictures\UnprotectResolve.raw.cipher9 64new_cip9.exe File renamed C:\Users\Admin\Pictures\UpdateEdit.crw => C:\Users\Admin\Pictures\UpdateEdit.crw.cipher9 64new_cip9.exe File opened for modification C:\Users\Admin\Pictures\ApproveSearch.tiff 64new_cip9.exe File renamed C:\Users\Admin\Pictures\ApproveSearch.tiff => C:\Users\Admin\Pictures\ApproveSearch.tiff.cipher9 64new_cip9.exe File renamed C:\Users\Admin\Pictures\CheckpointOpen.crw => C:\Users\Admin\Pictures\CheckpointOpen.crw.cipher9 64new_cip9.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
64new_cip9.exedescription ioc process File opened (read-only) \??\I: 64new_cip9.exe File opened (read-only) \??\M: 64new_cip9.exe File opened (read-only) \??\N: 64new_cip9.exe File opened (read-only) \??\P: 64new_cip9.exe File opened (read-only) \??\X: 64new_cip9.exe File opened (read-only) \??\G: 64new_cip9.exe File opened (read-only) \??\H: 64new_cip9.exe File opened (read-only) \??\J: 64new_cip9.exe File opened (read-only) \??\K: 64new_cip9.exe File opened (read-only) \??\Q: 64new_cip9.exe File opened (read-only) \??\V: 64new_cip9.exe File opened (read-only) \??\E: 64new_cip9.exe File opened (read-only) \??\F: 64new_cip9.exe File opened (read-only) \??\R: 64new_cip9.exe File opened (read-only) \??\T: 64new_cip9.exe File opened (read-only) \??\W: 64new_cip9.exe File opened (read-only) \??\Z: 64new_cip9.exe File opened (read-only) \??\A: 64new_cip9.exe File opened (read-only) \??\B: 64new_cip9.exe File opened (read-only) \??\L: 64new_cip9.exe File opened (read-only) \??\O: 64new_cip9.exe File opened (read-only) \??\S: 64new_cip9.exe File opened (read-only) \??\U: 64new_cip9.exe File opened (read-only) \??\Y: 64new_cip9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1080 1400 WerFault.exe Explorer.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1504 vssadmin.exe -
Kills process with taskkill 16 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 836 taskkill.exe 112 taskkill.exe 1772 taskkill.exe 1216 taskkill.exe 1948 taskkill.exe 1052 taskkill.exe 1916 taskkill.exe 1588 taskkill.exe 1544 taskkill.exe 2004 taskkill.exe 840 taskkill.exe 1200 taskkill.exe 1188 taskkill.exe 1180 taskkill.exe 2024 taskkill.exe 1908 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
64new_cip9.exepid process 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe 1976 64new_cip9.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exedescription pid process Token: SeDebugPrivilege 1772 taskkill.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 1216 taskkill.exe Token: SeDebugPrivilege 1948 taskkill.exe Token: SeDebugPrivilege 1188 taskkill.exe Token: SeDebugPrivilege 836 taskkill.exe Token: SeDebugPrivilege 1180 taskkill.exe Token: SeDebugPrivilege 1052 taskkill.exe Token: SeDebugPrivilege 2004 taskkill.exe Token: SeDebugPrivilege 112 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 1908 taskkill.exe Token: SeDebugPrivilege 840 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeDebugPrivilege 1200 taskkill.exe Token: SeBackupPrivilege 1496 vssvc.exe Token: SeRestorePrivilege 1496 vssvc.exe Token: SeAuditPrivilege 1496 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64new_cip9.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1976 wrote to memory of 1856 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1856 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1856 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1856 1976 64new_cip9.exe cmd.exe PID 1856 wrote to memory of 1780 1856 cmd.exe cmd.exe PID 1856 wrote to memory of 1780 1856 cmd.exe cmd.exe PID 1856 wrote to memory of 1780 1856 cmd.exe cmd.exe PID 1856 wrote to memory of 1780 1856 cmd.exe cmd.exe PID 1976 wrote to memory of 1088 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1088 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1088 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1088 1976 64new_cip9.exe cmd.exe PID 1088 wrote to memory of 812 1088 cmd.exe cmd.exe PID 1088 wrote to memory of 812 1088 cmd.exe cmd.exe PID 1088 wrote to memory of 812 1088 cmd.exe cmd.exe PID 1088 wrote to memory of 812 1088 cmd.exe cmd.exe PID 812 wrote to memory of 1772 812 cmd.exe taskkill.exe PID 812 wrote to memory of 1772 812 cmd.exe taskkill.exe PID 812 wrote to memory of 1772 812 cmd.exe taskkill.exe PID 1976 wrote to memory of 456 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 456 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 456 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 456 1976 64new_cip9.exe cmd.exe PID 456 wrote to memory of 1868 456 cmd.exe cmd.exe PID 456 wrote to memory of 1868 456 cmd.exe cmd.exe PID 456 wrote to memory of 1868 456 cmd.exe cmd.exe PID 456 wrote to memory of 1868 456 cmd.exe cmd.exe PID 1868 wrote to memory of 1544 1868 cmd.exe taskkill.exe PID 1868 wrote to memory of 1544 1868 cmd.exe taskkill.exe PID 1868 wrote to memory of 1544 1868 cmd.exe taskkill.exe PID 1976 wrote to memory of 436 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 436 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 436 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 436 1976 64new_cip9.exe cmd.exe PID 436 wrote to memory of 2044 436 cmd.exe cmd.exe PID 436 wrote to memory of 2044 436 cmd.exe cmd.exe PID 436 wrote to memory of 2044 436 cmd.exe cmd.exe PID 436 wrote to memory of 2044 436 cmd.exe cmd.exe PID 2044 wrote to memory of 1216 2044 cmd.exe taskkill.exe PID 2044 wrote to memory of 1216 2044 cmd.exe taskkill.exe PID 2044 wrote to memory of 1216 2044 cmd.exe taskkill.exe PID 1976 wrote to memory of 1676 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1676 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1676 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1676 1976 64new_cip9.exe cmd.exe PID 1676 wrote to memory of 1980 1676 cmd.exe cmd.exe PID 1676 wrote to memory of 1980 1676 cmd.exe cmd.exe PID 1676 wrote to memory of 1980 1676 cmd.exe cmd.exe PID 1676 wrote to memory of 1980 1676 cmd.exe cmd.exe PID 1980 wrote to memory of 1948 1980 cmd.exe taskkill.exe PID 1980 wrote to memory of 1948 1980 cmd.exe taskkill.exe PID 1980 wrote to memory of 1948 1980 cmd.exe taskkill.exe PID 1976 wrote to memory of 1728 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1728 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1728 1976 64new_cip9.exe cmd.exe PID 1976 wrote to memory of 1728 1976 64new_cip9.exe cmd.exe PID 1728 wrote to memory of 1968 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 1968 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 1968 1728 cmd.exe cmd.exe PID 1728 wrote to memory of 1968 1728 cmd.exe cmd.exe PID 1968 wrote to memory of 1188 1968 cmd.exe taskkill.exe PID 1968 wrote to memory of 1188 1968 cmd.exe taskkill.exe PID 1968 wrote to memory of 1188 1968 cmd.exe taskkill.exe PID 1976 wrote to memory of 1816 1976 64new_cip9.exe cmd.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
64new_cip9.exe64new_cip9.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 64new_cip9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 64new_cip9.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\64new_cip9.exe"C:\Users\Admin\AppData\Local\Temp\64new_cip9.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies extensions of user files
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlwriter.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlwriter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlservr.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlservr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im postgres.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im postgres.exe4⤵
-
C:\Windows\system32\taskkill.exetaskkill -f -im postgres.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop ReportServer$ISARS3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop ReportServer$ISARS4⤵
-
C:\Windows\system32\net.exenet stop ReportServer$ISARS5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ReportServer$ISARS6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\64new_cip9.exe\\?\C:\Users\Admin\AppData\Local\Temp\64new_cip9.exe -network2⤵
- System policy modification
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1400 -s 19002⤵
- Program crash
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-86-0x0000000000000000-mapping.dmp
-
memory/436-63-0x0000000000000000-mapping.dmp
-
memory/456-111-0x0000000000000000-mapping.dmp
-
memory/456-60-0x0000000000000000-mapping.dmp
-
memory/548-96-0x0000000000000000-mapping.dmp
-
memory/692-84-0x0000000000000000-mapping.dmp
-
memory/768-110-0x0000000000000000-mapping.dmp
-
memory/812-58-0x0000000000000000-mapping.dmp
-
memory/828-88-0x0000000000000000-mapping.dmp
-
memory/836-74-0x0000000000000000-mapping.dmp
-
memory/840-98-0x0000000000000000-mapping.dmp
-
memory/860-113-0x0000000000000000-mapping.dmp
-
memory/900-73-0x0000000000000000-mapping.dmp
-
memory/916-75-0x0000000000000000-mapping.dmp
-
memory/1052-80-0x0000000000000000-mapping.dmp
-
memory/1088-57-0x0000000000000000-mapping.dmp
-
memory/1112-103-0x0000000000000000-mapping.dmp
-
memory/1116-106-0x0000000000000000-mapping.dmp
-
memory/1180-77-0x0000000000000000-mapping.dmp
-
memory/1188-71-0x0000000000000000-mapping.dmp
-
memory/1196-97-0x0000000000000000-mapping.dmp
-
memory/1200-104-0x0000000000000000-mapping.dmp
-
memory/1216-65-0x0000000000000000-mapping.dmp
-
memory/1280-115-0x0000000000000000-mapping.dmp
-
memory/1304-109-0x0000000000000000-mapping.dmp
-
memory/1388-114-0x0000000000000000-mapping.dmp
-
memory/1432-105-0x0000000000000000-mapping.dmp
-
memory/1444-99-0x0000000000000000-mapping.dmp
-
memory/1464-118-0x0000000000000000-mapping.dmp
-
memory/1472-94-0x0000000000000000-mapping.dmp
-
memory/1480-76-0x0000000000000000-mapping.dmp
-
memory/1492-93-0x0000000000000000-mapping.dmp
-
memory/1496-112-0x0000000000000000-mapping.dmp
-
memory/1496-85-0x0000000000000000-mapping.dmp
-
memory/1544-62-0x0000000000000000-mapping.dmp
-
memory/1576-78-0x0000000000000000-mapping.dmp
-
memory/1588-101-0x0000000000000000-mapping.dmp
-
memory/1648-100-0x0000000000000000-mapping.dmp
-
memory/1676-66-0x0000000000000000-mapping.dmp
-
memory/1692-117-0x0000000000000000-mapping.dmp
-
memory/1704-79-0x0000000000000000-mapping.dmp
-
memory/1728-69-0x0000000000000000-mapping.dmp
-
memory/1756-102-0x0000000000000000-mapping.dmp
-
memory/1772-59-0x0000000000000000-mapping.dmp
-
memory/1780-56-0x0000000000000000-mapping.dmp
-
memory/1816-72-0x0000000000000000-mapping.dmp
-
memory/1856-55-0x0000000000000000-mapping.dmp
-
memory/1868-61-0x0000000000000000-mapping.dmp
-
memory/1908-95-0x0000000000000000-mapping.dmp
-
memory/1916-89-0x0000000000000000-mapping.dmp
-
memory/1932-91-0x0000000000000000-mapping.dmp
-
memory/1948-68-0x0000000000000000-mapping.dmp
-
memory/1968-70-0x0000000000000000-mapping.dmp
-
memory/1976-54-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB
-
memory/1980-67-0x0000000000000000-mapping.dmp
-
memory/2004-108-0x0000000000000000-mapping.dmp
-
memory/2004-83-0x0000000000000000-mapping.dmp
-
memory/2008-81-0x0000000000000000-mapping.dmp
-
memory/2024-92-0x0000000000000000-mapping.dmp
-
memory/2028-107-0x0000000000000000-mapping.dmp
-
memory/2032-82-0x0000000000000000-mapping.dmp
-
memory/2036-90-0x0000000000000000-mapping.dmp
-
memory/2040-87-0x0000000000000000-mapping.dmp
-
memory/2044-64-0x0000000000000000-mapping.dmp
-
memory/2044-116-0x0000000000000000-mapping.dmp