3d106d9e8d65c6f681f07ad74f99cf196eb4d9553eebab2d7448ffe65ac15d36

General

Target

tmp.exe
Size

8KB
MD5

9ce72ed428e9196e4e47d6977dd91646
SHA1

b52204e0f6b40129d3ed22da0f4f9e230ef04362
SHA256

3d106d9e8d65c6f681f07ad74f99cf196eb4d9553eebab2d7448ffe65ac15d36
SHA512

663a2cae6ddb9e92d76ee664fe960915da177b74c2b1d06ea66370626bee52467c99f7d071d331d0bb4b988f46cd67ab413923246d403a6112918c96f8fb8096
SSDEEP

192:oAU3/5oNY99v2YuYsjPKmWBWQShNWdhLdW7:+Rr9t2Y6PKmKOWPdW

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\FILE RECOVERY.txt

Ransom Note

Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: 5379353FA667B8215E70570C 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. �

Emails

mallox.resurrection@onionmail.org

URLs

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin

http://wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
File opened (read-only)	\??\G:	RegAsm.exe
File opened (read-only)	\??\N:	RegAsm.exe
File opened (read-only)	\??\O:	RegAsm.exe
File opened (read-only)	\??\Z:	RegAsm.exe
File opened (read-only)	\??\B:	RegAsm.exe
File opened (read-only)	\??\I:	RegAsm.exe
File opened (read-only)	\??\Q:	RegAsm.exe
File opened (read-only)	\??\S:	RegAsm.exe
File opened (read-only)	\??\U:	RegAsm.exe
File opened (read-only)	\??\V:	RegAsm.exe
File opened (read-only)	\??\Y:	RegAsm.exe
File opened (read-only)	\??\E:	RegAsm.exe
File opened (read-only)	\??\K:	RegAsm.exe
File opened (read-only)	\??\M:	RegAsm.exe
File opened (read-only)	\??\T:	RegAsm.exe
File opened (read-only)	\??\X:	RegAsm.exe
File opened (read-only)	\??\H:	RegAsm.exe
File opened (read-only)	\??\F:	RegAsm.exe
File opened (read-only)	\??\J:	RegAsm.exe
File opened (read-only)	\??\L:	RegAsm.exe
File opened (read-only)	\??\P:	RegAsm.exe
File opened (read-only)	\??\R:	RegAsm.exe
File opened (read-only)	\??\W:	RegAsm.exe
File opened (read-only)	\??\A:	RegAsm.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 4088 set thread context of 2696 4088 tmp.exe RegAsm.exe

flow	ioc
8	api.ipify.org

description	pid	process	target process
PID 4088 set thread context of 2696	4088	tmp.exe	RegAsm.exe

Drops file in Program Files directory 64 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare.HxS	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png	RegAsm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1113_20x20x32.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymxl.ttf	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\FILE RECOVERY.txt	RegAsm.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ar-ae\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-80_altform-unplated_contrast-white.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main-selector.css	RegAsm.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar	RegAsm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELM	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-150.png	RegAsm.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Images\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsLargeTile.scale-100.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-64_altform-unplated.png	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js	RegAsm.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\FILE RECOVERY.txt	RegAsm.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-sl\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-100.png	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailLargeTile.scale-125.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\MedTile.scale-100.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\11.rsrc	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_tw_135x40.svg	RegAsm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar	RegAsm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png	RegAsm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-white_scale-125.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_contrast-black.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-16_altform-unplated_contrast-white.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-30.png	RegAsm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	RegAsm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms	RegAsm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40_altform-unplated.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2c6c9842.pri	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\da-dk\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar	RegAsm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-125.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlInnerCircleHover.png	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\ui-strings.js	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Cyrl-BA.pak	RegAsm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-32_altform-unplated_contrast-black.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-lightunplated.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-125.png	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-150.png	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureUI.xaml	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated_contrast-high.png	RegAsm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\FILE RECOVERY.txt	RegAsm.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\FILE RECOVERY.txt	RegAsm.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\jfxrt.jar	RegAsm.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16_altform-unplated.png	RegAsm.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2212 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1120 vssadmin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegAsm.exe

pid process

2696 RegAsm.exe
2696 RegAsm.exe

pid	process
2212	sc.exe

pid	process
1120	vssadmin.exe

pid	process
2696	RegAsm.exe
2696	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tmp.exeRegAsm.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4088	tmp.exe
Token: SeTakeOwnershipPrivilege	2696	RegAsm.exe
Token: SeDebugPrivilege	2696	RegAsm.exe
Token: SeBackupPrivilege	2252	vssvc.exe
Token: SeRestorePrivilege	2252	vssvc.exe
Token: SeAuditPrivilege	2252	vssvc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

tmp.exeRegAsm.execmd.exe

description	pid	process	target process
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 4088 wrote to memory of 2696	4088	tmp.exe	RegAsm.exe
PID 2696 wrote to memory of 1120	2696	RegAsm.exe	vssadmin.exe
PID 2696 wrote to memory of 1120	2696	RegAsm.exe	vssadmin.exe
PID 2696 wrote to memory of 2300	2696	RegAsm.exe	cmd.exe
PID 2696 wrote to memory of 2300	2696	RegAsm.exe	cmd.exe
PID 2696 wrote to memory of 2300	2696	RegAsm.exe	cmd.exe
PID 2696 wrote to memory of 2284	2696	RegAsm.exe	cmd.exe
PID 2696 wrote to memory of 2284	2696	RegAsm.exe	cmd.exe
PID 2696 wrote to memory of 2284	2696	RegAsm.exe	cmd.exe
PID 2696 wrote to memory of 3384	2696	RegAsm.exe	cmd.exe
PID 2696 wrote to memory of 3384	2696	RegAsm.exe	cmd.exe
PID 2696 wrote to memory of 3384	2696	RegAsm.exe	cmd.exe
PID 2284 wrote to memory of 2212	2284	cmd.exe	sc.exe
PID 2284 wrote to memory of 2212	2284	cmd.exe	sc.exe
PID 2284 wrote to memory of 2212	2284	cmd.exe	sc.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

RegAsm.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" RegAsm.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2696

C:\Windows\system32\vssadmin.exe
"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\sc.exe
sc delete "MSSQLFDLauncher"
4⤵
- Launches sc.exe
PID:2212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
3⤵
PID:3384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Impair Defenses

1

T1562

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-139-0x0000000000000000-mapping.dmp

Download
memory/2212-144-0x0000000000000000-mapping.dmp

Download
memory/2284-141-0x0000000000000000-mapping.dmp

Download
memory/2300-140-0x0000000000000000-mapping.dmp

Download
memory/2696-135-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2696-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2696-136-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2696-134-0x0000000000000000-mapping.dmp

Download
memory/2696-143-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2696-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3384-142-0x0000000000000000-mapping.dmp

Download
memory/4088-132-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/4088-133-0x0000000005C80000-0x0000000005CA2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads