Resubmissions
14-10-2023 09:40
231014-lnbaaabg5w 10Analysis
-
max time kernel
202s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2023 09:40
Behavioral task
behavioral1
Sample
NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
-
Size
340KB
-
MD5
714870c33ba84e744b84b32e6e114ed9
-
SHA1
840f442d4466713becdf72b88846871330ac38e7
-
SHA256
51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
-
SHA512
270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2
-
SSDEEP
6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE
Malware Config
Extracted
C:\Program Files\7-Zip\HOW_TO_BACK_FILES.html
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1776 created 3212 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 55 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1796 bcdedit.exe 2388 bcdedit.exe -
Renames multiple (493) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 5000 wbadmin.exe -
pid Process 1300 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\"" NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\"" NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\L: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\V: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\A: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\K: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\Q: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\R: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\S: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\U: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\Z: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\G: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\B: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\H: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\N: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\T: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\X: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\Y: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\F: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\I: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\M: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\O: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\P: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\W: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\E: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management-agent.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\microsoft shared\TextConv\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Google\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Internet Explorer\ja-JP\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\System\Ole DB\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\System\Ole DB\ja-JP\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\System\fr-FR\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2664 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 4692 taskkill.exe 2784 taskkill.exe 2928 taskkill.exe 4716 taskkill.exe 5068 taskkill.exe 948 taskkill.exe 4280 taskkill.exe 2716 taskkill.exe 3752 taskkill.exe 3832 taskkill.exe 1492 taskkill.exe 3820 taskkill.exe 4520 taskkill.exe 5116 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 5068 taskkill.exe Token: SeDebugPrivilege 3752 taskkill.exe Token: SeDebugPrivilege 3832 taskkill.exe Token: SeDebugPrivilege 4692 taskkill.exe Token: SeDebugPrivilege 2716 taskkill.exe Token: SeDebugPrivilege 2784 taskkill.exe Token: SeDebugPrivilege 2928 taskkill.exe Token: SeDebugPrivilege 1492 taskkill.exe Token: SeDebugPrivilege 3820 taskkill.exe Token: SeDebugPrivilege 4716 taskkill.exe Token: SeDebugPrivilege 4520 taskkill.exe Token: SeDebugPrivilege 948 taskkill.exe Token: SeIncreaseQuotaPrivilege 3696 WMIC.exe Token: SeSecurityPrivilege 3696 WMIC.exe Token: SeTakeOwnershipPrivilege 3696 WMIC.exe Token: SeLoadDriverPrivilege 3696 WMIC.exe Token: SeSystemProfilePrivilege 3696 WMIC.exe Token: SeSystemtimePrivilege 3696 WMIC.exe Token: SeProfSingleProcessPrivilege 3696 WMIC.exe Token: SeIncBasePriorityPrivilege 3696 WMIC.exe Token: SeCreatePagefilePrivilege 3696 WMIC.exe Token: SeBackupPrivilege 3696 WMIC.exe Token: SeRestorePrivilege 3696 WMIC.exe Token: SeShutdownPrivilege 3696 WMIC.exe Token: SeDebugPrivilege 3696 WMIC.exe Token: SeSystemEnvironmentPrivilege 3696 WMIC.exe Token: SeRemoteShutdownPrivilege 3696 WMIC.exe Token: SeUndockPrivilege 3696 WMIC.exe Token: SeManageVolumePrivilege 3696 WMIC.exe Token: 33 3696 WMIC.exe Token: 34 3696 WMIC.exe Token: 35 3696 WMIC.exe Token: 36 3696 WMIC.exe Token: SeBackupPrivilege 3580 vssvc.exe Token: SeRestorePrivilege 3580 vssvc.exe Token: SeAuditPrivilege 3580 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1776 wrote to memory of 4980 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 88 PID 1776 wrote to memory of 4980 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 88 PID 1776 wrote to memory of 4980 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 88 PID 4980 wrote to memory of 2652 4980 cmd.exe 90 PID 4980 wrote to memory of 2652 4980 cmd.exe 90 PID 1776 wrote to memory of 2984 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 91 PID 1776 wrote to memory of 2984 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 91 PID 1776 wrote to memory of 2984 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 91 PID 2984 wrote to memory of 2592 2984 cmd.exe 93 PID 2984 wrote to memory of 2592 2984 cmd.exe 93 PID 2592 wrote to memory of 5068 2592 cmd.exe 94 PID 2592 wrote to memory of 5068 2592 cmd.exe 94 PID 1776 wrote to memory of 4304 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 95 PID 1776 wrote to memory of 4304 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 95 PID 1776 wrote to memory of 4304 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 95 PID 4304 wrote to memory of 3928 4304 cmd.exe 97 PID 4304 wrote to memory of 3928 4304 cmd.exe 97 PID 3928 wrote to memory of 5116 3928 cmd.exe 98 PID 3928 wrote to memory of 5116 3928 cmd.exe 98 PID 1776 wrote to memory of 2692 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 99 PID 1776 wrote to memory of 2692 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 99 PID 1776 wrote to memory of 2692 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 99 PID 2692 wrote to memory of 2360 2692 cmd.exe 101 PID 2692 wrote to memory of 2360 2692 cmd.exe 101 PID 2360 wrote to memory of 3752 2360 cmd.exe 102 PID 2360 wrote to memory of 3752 2360 cmd.exe 102 PID 1776 wrote to memory of 2564 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 103 PID 1776 wrote to memory of 2564 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 103 PID 1776 wrote to memory of 2564 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 103 PID 2564 wrote to memory of 4744 2564 cmd.exe 105 PID 2564 wrote to memory of 4744 2564 cmd.exe 105 PID 4744 wrote to memory of 3832 4744 cmd.exe 106 PID 4744 wrote to memory of 3832 4744 cmd.exe 106 PID 1776 wrote to memory of 1612 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 107 PID 1776 wrote to memory of 1612 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 107 PID 1776 wrote to memory of 1612 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 107 PID 1612 wrote to memory of 3916 1612 cmd.exe 109 PID 1612 wrote to memory of 3916 1612 cmd.exe 109 PID 3916 wrote to memory of 4692 3916 cmd.exe 110 PID 3916 wrote to memory of 4692 3916 cmd.exe 110 PID 1776 wrote to memory of 3220 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 111 PID 1776 wrote to memory of 3220 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 111 PID 1776 wrote to memory of 3220 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 111 PID 3220 wrote to memory of 4168 3220 cmd.exe 113 PID 3220 wrote to memory of 4168 3220 cmd.exe 113 PID 4168 wrote to memory of 2716 4168 cmd.exe 114 PID 4168 wrote to memory of 2716 4168 cmd.exe 114 PID 1776 wrote to memory of 1456 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 115 PID 1776 wrote to memory of 1456 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 115 PID 1776 wrote to memory of 1456 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 115 PID 1456 wrote to memory of 4292 1456 cmd.exe 117 PID 1456 wrote to memory of 4292 1456 cmd.exe 117 PID 4292 wrote to memory of 2784 4292 cmd.exe 118 PID 4292 wrote to memory of 2784 4292 cmd.exe 118 PID 1776 wrote to memory of 3872 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 119 PID 1776 wrote to memory of 3872 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 119 PID 1776 wrote to memory of 3872 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 119 PID 3872 wrote to memory of 8 3872 cmd.exe 121 PID 3872 wrote to memory of 8 3872 cmd.exe 121 PID 8 wrote to memory of 2928 8 cmd.exe 122 PID 8 wrote to memory of 2928 8 cmd.exe 122 PID 1776 wrote to memory of 3596 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 123 PID 1776 wrote to memory of 3596 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 123 PID 1776 wrote to memory of 3596 1776 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 123 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1776 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"3⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"4⤵PID:2652
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:5116
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3832
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵PID:3596
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:4200
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵PID:4184
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:2708
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵PID:896
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:436
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵PID:3800
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:448
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4520
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵PID:2652
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:1136
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵PID:4224
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:316
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:4280
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵PID:1852
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:2264
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:2356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:2320
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵PID:4284
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:1304
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:3788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵PID:3784
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵PID:4744
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵PID:2004
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵PID:5000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵PID:1424
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵PID:3376
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:4308
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵PID:1200
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵PID:1752
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:3020
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:3364
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵PID:4176
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:3632
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:3284
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:3872
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵PID:3668
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:3836
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:4616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:4684
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵PID:3272
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:4536
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:2688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:4184
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵PID:4864
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:1420
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
PID:1300
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵PID:1928
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:1128
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:1796
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵PID:540
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:2652
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:2388
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵PID:3432
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:3280
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵PID:4036
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:948
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵
- Drops file in Windows directory
PID:1844
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:492
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:548
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
PID:5000
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵PID:4672
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:3700
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2664
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\\?\C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -network2⤵
- Adds Run key to start application
- System policy modification
PID:1108
-
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS1⤵PID:5084
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW1⤵PID:3024
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a8514fd9f3a52ab2a00f57494d03b2fe
SHA10e204aabbd8b5d6ee1b36d10429d65eb436afd14
SHA256056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028
SHA5126250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b
-
Filesize
7KB
MD55aa2c892c656c7c250e7a1dd1df3e652
SHA16c2c3cceba2b9f84da46743abcc54be390386c29
SHA2560d1b81fd2bf87a062b0943398dc2ce1bd274e0f42e72eed7e696e9b60fc13e8a
SHA512bd80170cc7d795493f9ab66257e2fa7768790ae0afb12dffe215538ac328344f7cfe923b41d94841a5096b9b50c65051ab2ac5fdeface7730e2416e3ff3c886a
-
Filesize
1KB
MD52d41116c2fa41e5524ee8b3bfff25d9d
SHA1ac76d35825265ba9d0da3cb39a13f3481cf4c987
SHA256013b2a850396a508b99cc19929743b8b984864f3a1336bf7e1e0d3f2de7d30ce
SHA51298646d8cd4c80770a19396bba4fd34bdc3808a901971c7815b8b9601f3e59ff5fe9162e273c3e7ac4b1f20a12096a3ac0187b1426bfe9cc8f55a726a4404f58e
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html
Filesize13KB
MD5ee574016ad8afb6ec8ff595001dbf3d2
SHA1857fa46cf3650c39fb3487afa887990ce8d69674
SHA2566991a69e647dc425d1fb8989e2c1936d31399a972c6866521479e5a0ee0def77
SHA512d7fe3a3cc74f51942c27850c445dd048b4d97c16419291e81856f73b0daf4a1e6fcf682eebbf630386fdcf385b6544628f4b6bf4755967685e07f6c93a364f29
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize10KB
MD5aacdea28fd718479c90b33a6a38f1b20
SHA1e64e1394f755fdbd7000de19967bb2c1247209b7
SHA256bae9f4e936bc751c9a4160f3e5588799efc4cb1379c3c1c964a6e4060ec19d45
SHA512f740e39fa961cd4be9ab1cdb5c3a20b27242786ca2e86f23a2e2bd3d62cde1054152a6c26f0973ca2df2dd6ef5414689755f746b463de1616a08632d2f2b702d
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf
Filesize1KB
MD5446e0d3938425af282ab18355a6cc8f5
SHA107f0807a4f9f7649045322be1f4c33d3622856bf
SHA2564f17dda3abad57e93e7343becfc042b95f8aba62578db278d8c6ac691e1dd279
SHA5124095a6128cd1d208fc0a8cf8ce09f666749aba4ed27dd1b9f6c7ff2e8f51e19b2ca171805de5ae92c0a44d7eab0a5f9b23446bf3e41cb2bbe3633b5eabbfd249
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html
Filesize10KB
MD5fbd94147b854f170f40a089cd40d4aaf
SHA19b612c175db37081021571623df5835227c681ac
SHA25625d993fcfccdb5701746a7a01f214fa1351070de67b770b05cc07589b4145d10
SHA512d62739b026ed4c36c7ff0f0854882858805a148d4ef5d0046b385f0c3865cdab473e025cc21c4c7544dc27ed20ca9f11c41d3d9bb2e4fccbf3a9d0de47f37f54
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf
Filesize1KB
MD50c21fab5c49497846272ec828f119d58
SHA1cb24d043076886232b3115a62f491924b559ea9e
SHA25614152262d9742615d377b3d06c7608c70e7911dbb36e22c344fed5f6acfbd927
SHA512ba0de99312b8d79131a372106ca1463a064b77e9f6f9023008224a6e65a2424176a288e0065feca623ebc9814545f378a232e9be5197e8fd13154a5305ff0473
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html
Filesize13KB
MD51543401a683252c3b2646751a32013de
SHA1541cc968e8dc191b44cbb56abbe808536e83b58a
SHA256150f065ba69af41934047bd02087a417c5e18878f7bde7a99df1c2e56c92b3ac
SHA5122042dea6b2012a47e706eac80bec3eaba7574b21972d610dc16b429bfc18425c5d6253a575f1c2e90c93666433ccf7239ea75f7f0376f8d9eb08b2a95bf183af