88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a

Resubmissions

01/03/2024, 13:18

240301-qj37qagc71 7

28/12/2023, 16:27

231228-tygh2sheh8 10

Analysis

max time kernel
361s
max time network
362s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe
Size

1.7MB
MD5

5f1977ff2e710323036df5bf5fd7df2b
SHA1

cf856ca9dfee5a3935d5e7ad192044438ab6c500
SHA256

88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a
SHA512

8cc6808e0285a73ca90f4247982e1ee635f492a54929bad49c55ebe45f3ba45eba80777043085b811e91ceb72fab744af6e9bc93185b7450a44323886efa743a
SSDEEP

49152:2svcOp7uaMh54agPw0Ic02gRotHcBWJz9FNFU:2s0KCHDdg40I9LsFQ

Score

9^/10

evasion ransomware spyware stealer

Malware Config

Signatures

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
1164	wevtutil.exe
3052	wevtutil.exe
1628	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2616	bcdedit.exe
2780	bcdedit.exe
2928	bcdedit.exe
2360	bcdedit.exe

Renames multiple (837) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1940	wbadmin.exe

Executes dropped EXE 1 IoCs

pid	Process
2384	windows_encryptor_180870197840.exe

Loads dropped DLL 7 IoCs

pid	Process
2140	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe
2384	windows_encryptor_180870197840.exe
2384	windows_encryptor_180870197840.exe
2384	windows_encryptor_180870197840.exe
2384	windows_encryptor_180870197840.exe
2384	windows_encryptor_180870197840.exe
2384	windows_encryptor_180870197840.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2688	vssadmin.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
2988	taskkill.exe
560	taskkill.exe
2308	taskkill.exe
2188	taskkill.exe
348	taskkill.exe
1604	taskkill.exe
2116	taskkill.exe
992	taskkill.exe
2588	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeBackupPrivilege	2348	vssvc.exe
Token: SeRestorePrivilege	2348	vssvc.exe
Token: SeAuditPrivilege	2348	vssvc.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeSecurityPrivilege	1164	wevtutil.exe
Token: SeBackupPrivilege	1164	wevtutil.exe
Token: SeSecurityPrivilege	1628	cmd.exe
Token: SeBackupPrivilege	1628	cmd.exe
Token: SeSecurityPrivilege	3052	wevtutil.exe
Token: SeBackupPrivilege	3052	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2384	2140	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe	138
PID 2140 wrote to memory of 2384	2140	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe	138
PID 2140 wrote to memory of 2384	2140	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe	138
PID 2140 wrote to memory of 2384	2140	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe	138
PID 2384 wrote to memory of 2768	2384	windows_encryptor_180870197840.exe	137
PID 2384 wrote to memory of 2768	2384	windows_encryptor_180870197840.exe	137
PID 2384 wrote to memory of 2768	2384	windows_encryptor_180870197840.exe	137
PID 2768 wrote to memory of 2624	2768	cmd.exe	37
PID 2768 wrote to memory of 2624	2768	cmd.exe	37
PID 2768 wrote to memory of 2624	2768	cmd.exe	37
PID 2624 wrote to memory of 2360	2624	cmd.exe	36
PID 2624 wrote to memory of 2360	2624	cmd.exe	36
PID 2624 wrote to memory of 2360	2624	cmd.exe	36
PID 2384 wrote to memory of 2920	2384	windows_encryptor_180870197840.exe	35
PID 2384 wrote to memory of 2920	2384	windows_encryptor_180870197840.exe	35
PID 2384 wrote to memory of 2920	2384	windows_encryptor_180870197840.exe	35
PID 2920 wrote to memory of 2900	2920	cmd.exe	34
PID 2920 wrote to memory of 2900	2920	cmd.exe	34
PID 2920 wrote to memory of 2900	2920	cmd.exe	34
PID 2900 wrote to memory of 2928	2900	cmd.exe	33
PID 2900 wrote to memory of 2928	2900	cmd.exe	33
PID 2900 wrote to memory of 2928	2900	cmd.exe	33
PID 2384 wrote to memory of 2976	2384	windows_encryptor_180870197840.exe	32
PID 2384 wrote to memory of 2976	2384	windows_encryptor_180870197840.exe	32
PID 2384 wrote to memory of 2976	2384	windows_encryptor_180870197840.exe	32
PID 2976 wrote to memory of 2236	2976	cmd.exe	30
PID 2976 wrote to memory of 2236	2976	cmd.exe	30
PID 2976 wrote to memory of 2236	2976	cmd.exe	30
PID 2236 wrote to memory of 2780	2236	cmd.exe	29
PID 2236 wrote to memory of 2780	2236	cmd.exe	29
PID 2236 wrote to memory of 2780	2236	cmd.exe	29
PID 2384 wrote to memory of 2788	2384	windows_encryptor_180870197840.exe	28
PID 2384 wrote to memory of 2788	2384	windows_encryptor_180870197840.exe	28
PID 2384 wrote to memory of 2788	2384	windows_encryptor_180870197840.exe	28
PID 2788 wrote to memory of 2728	2788	cmd.exe	26
PID 2788 wrote to memory of 2728	2788	cmd.exe	26
PID 2788 wrote to memory of 2728	2788	cmd.exe	26
PID 2728 wrote to memory of 2616	2728	cmd.exe	25
PID 2728 wrote to memory of 2616	2728	cmd.exe	25
PID 2728 wrote to memory of 2616	2728	cmd.exe	25
PID 2384 wrote to memory of 2612	2384	windows_encryptor_180870197840.exe	24
PID 2384 wrote to memory of 2612	2384	windows_encryptor_180870197840.exe	24
PID 2384 wrote to memory of 2612	2384	windows_encryptor_180870197840.exe	24
PID 2612 wrote to memory of 2680	2612	cmd.exe	22
PID 2612 wrote to memory of 2680	2612	cmd.exe	22
PID 2612 wrote to memory of 2680	2612	cmd.exe	22
PID 2680 wrote to memory of 2688	2680	cmd.exe	19
PID 2680 wrote to memory of 2688	2680	cmd.exe	19
PID 2680 wrote to memory of 2688	2680	cmd.exe	19
PID 2384 wrote to memory of 1624	2384	windows_encryptor_180870197840.exe	136
PID 2384 wrote to memory of 1624	2384	windows_encryptor_180870197840.exe	136
PID 2384 wrote to memory of 1624	2384	windows_encryptor_180870197840.exe	136
PID 1624 wrote to memory of 1044	1624	cmd.exe	38
PID 1624 wrote to memory of 1044	1624	cmd.exe	38
PID 1624 wrote to memory of 1044	1624	cmd.exe	38
PID 1044 wrote to memory of 1940	1044	cmd.exe	39
PID 1044 wrote to memory of 1940	1044	cmd.exe	39
PID 1044 wrote to memory of 1940	1044	cmd.exe	39
PID 2384 wrote to memory of 2336	2384	windows_encryptor_180870197840.exe	135
PID 2384 wrote to memory of 2336	2384	windows_encryptor_180870197840.exe	135
PID 2384 wrote to memory of 2336	2384	windows_encryptor_180870197840.exe	135
PID 2336 wrote to memory of 768	2336	cmd.exe	133
PID 2336 wrote to memory of 768	2336	cmd.exe	133
PID 2336 wrote to memory of 768	2336	cmd.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe
"C:\Users\Admin\AppData\Local\Temp\88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe
  "C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2384

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
1⤵
- Interacts with shadow copies
PID:2688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\cmd.exe
cmd /c "vssadmin Delete Shadows /All /Quiet"
1⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "vssadmin Delete Shadows /All /Quiet"
1⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:2616

C:\Windows\system32\cmd.exe
cmd /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:2780

C:\Windows\system32\cmd.exe
cmd /c "bcdedit /set {current} bootstatuspolicy ignoreallfailures"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "bcdedit /set {current} bootstatuspolicy ignoreallfailures"
1⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Modifies boot configuration data using bcdedit
PID:2928

C:\Windows\system32\cmd.exe
cmd /c "bcdedit /set {default} recoveryenabled no"
1⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "bcdedit /set {default} recoveryenabled no"
1⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
1⤵
- Modifies boot configuration data using bcdedit
PID:2360

C:\Windows\system32\cmd.exe
cmd /c "bcdedit /set {current} recoveryenabled no"
1⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\cmd.exe
cmd /c "wbadmin DELETE BACKUP -keepVersions:0 -quiet"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE BACKUP -keepVersions:0 -quiet
  2⤵
  - Deletes system backups
  - Drops file in Windows directory
  PID:1940

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlbrowser*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlwriter*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlservr*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlceip*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\taskkill.exe
taskkill /F /IM SQLAGENT*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlservr*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\taskkill.exe
taskkill /F /IM pg_ctl*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\taskkill.exe
taskkill /F /IM postgres*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:1688
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "service_name" /y
  2⤵
  PID:1564

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:752
- C:\Windows\system32\wevtutil.exe
  wevtutil cl security
  2⤵
  - Clears Windows event logs
  PID:1628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:2172

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:1616
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "service_name" /y
  2⤵
  PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:2796

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:2252

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
1⤵
PID:1584

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
1⤵
PID:2200

C:\Windows\system32\wevtutil.exe
wevtutil cl application
1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\system32\cmd.exe
cmd /c "wevtutil cl application"
1⤵
PID:1548

C:\Windows\system32\wevtutil.exe
wevtutil cl system
1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\cmd.exe
cmd /c "wevtutil cl system"
1⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "wevtutil cl system"
1⤵
PID:1396

C:\Windows\system32\cmd.exe
cmd /c "wevtutil cl security"
1⤵
PID:752
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "service_name" /y
  2⤵
  PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "wevtutil cl security"
1⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "wevtutil cl application"
1⤵
PID:2324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:2420

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:1992

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
1⤵
PID:340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:2424

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:1760

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
1⤵
PID:2372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:664

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:1320

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
1⤵
PID:2696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:1708

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:716

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
1⤵
PID:1932

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:1936

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
1⤵
PID:936

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
1⤵
PID:1256

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:1328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1277875330985472914-9114402271111514148-117679824612853107331134378863-1864856621"
1⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
1⤵
PID:1952

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM postgres*"
1⤵
PID:2300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2032393478-1832060293713556381-1345348843-1540302965841927651-896925519933138216"
1⤵
PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM postgres*"
1⤵
PID:448

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM pg_ctl*"
1⤵
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM pg_ctl*"
1⤵
PID:2712

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM sqlservr*"
1⤵
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlservr*"
1⤵
PID:584

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM SQLAGENT*"
1⤵
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM SQLAGENT*"
1⤵
PID:600

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM sqlceip*"
1⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlceip*"
1⤵
PID:2276

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM sqlservr*"
1⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlservr*"
1⤵
PID:2092

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM sqlwriter*"
1⤵
PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlwriter*"
1⤵
PID:1700

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM sqlbrowser*"
1⤵
PID:296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlbrowser*"
1⤵
PID:2904

C:\Windows\system32\taskkill.exe
taskkill /F /IM postgresql*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM postgresql*"
1⤵
PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM postgresql*"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "wbadmin DELETE BACKUP -keepVersions:0 -quiet"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd /c "bcdedit /set {current} recoveryenabled no"
1⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\libglib-2.0-0.dll

Filesize
88KB

MD5
830c370e3811c4ea99066816d37a0d3a

SHA1
37360d0adb97f968f3c57a4ed47bcbc27aa3dc75

SHA256
5b25d7d8f62ed66b8dc44870914393f8827083c73f86afd0f1b28c093433969c

SHA512
5fe6eb24caabcd8fc5aed52d9ace9b7d6e698d827b37eb92663cad25aa7e0ed00e857e721fc7ecf0539d7f6cb1d76878b4b7ec4638c5eba86a1e7871afb6d92f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgobject-2.0-0.dll

Filesize
57KB

MD5
7027a4991d84d6d90bfb66417635a997

SHA1
28be14a746a358ad34c52acad52c54b3e06ba9d0

SHA256
10ef3df7481b19526c57fb2f6c63b8a9fdea0b20fce052aba44a2b0d2def2406

SHA512
cc65b68a4723f36f91b9e075118ee564624d5952ff1b1ab5009230e9407cd884e119b11bbcbfbb374ed0b2ba3df0f14d294e4d1abd46b5e71c1164c4b225bc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libiconv-2.dll

Filesize
137KB

MD5
afe6b33625f0c46364340484993c3daf

SHA1
c664b321d11f5feb03f0f643d8780a3fad700acf

SHA256
98079f34c25a6396f1d9ee447961a4885b912dc04d2466369d2b8a5a0dcf55a2

SHA512
7df525d73502fe56d51b95b164bb7bf3f4111ed58647df48dc7b00edfdbeaad26475b08cfb2471f004ce7fe1bafa682aa8005c02fcf8ca540447776935efd276

Download Submit
C:\Users\Admin\AppData\Local\Temp\libintl-8.dll

Filesize
116KB

MD5
1e94ffdc3936764d425a51dd0210bbc6

SHA1
19ca242f278f5d6335417b5a76b8d267bc786195

SHA256
2d3b6be06a4b18e5774db977b543430b0f8512df90660ec5b5b409742b0ea669

SHA512
8819d84919aba8a6fb5b0ee73c4b9bdb4d88b416d1ca889059aaf4ef802786075b3ff969cd8356344a96df9bc0793c9d5d6ea098998009a803e4663ea4d73e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\libpcre2-8-0.dll

Filesize
145KB

MD5
05a43b16de24acd3a843a9ba22d0e439

SHA1
0065424cb7bef378d002975460e675e4ff8715ab

SHA256
45064fb6a1a6d0e5ccce32903092d0fadaa977b968191d2f847517beff1e4df3

SHA512
bc8d5d3af28bb546bbb3296e4af754cb6da52ea5c6e5208f9a5bb72da65477a249c685295d5256d25a62745ae9cd54014c734a92fed3c0fad606a58b5bdbeeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe

Filesize
129KB

MD5
f585444e652dc598fcd4fe4f10872aa5

SHA1
b18e7cc9b2d34e5b1a27df0578e9065d8faeab1c

SHA256
1cd48de6d247b87b60bf5d286275d36c6c51d6f0d3765abe86d49a15f0fcb325

SHA512
0078cae93a7abb976851185f770d5db72a9153f9b5594d15b8af0691093b9dfb93c54351701cd4e599735e4bd5f664d782a8647cc4c815d193d8262b8e80e7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe

Filesize
183KB

MD5
57bd8060860c959dacca18abca7fa950

SHA1
a8040672e00d92f1c015d3ac78cbdc4313ab7252

SHA256
3a0a7db0bfe5ca754a248e579e1a7509af52b7272d52e8b5c7493e4e75406b7f

SHA512
88b2377ecaa581d9dee2a02d2bf2682e99d27db4864ac34f90a2730755bec5a0e3605c3399b2f672cab839f8f65e988babd393e2b712174529a4ad159ba4bff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe

Filesize
150KB

MD5
f8afd35fbd206a6d635ec936404b24f5

SHA1
cbe0b92c06df1b46b1318544ea3c07c041059173

SHA256
884b14550c3be42484f07bd152cbd73a0b651da7f1e39b6bdd9bc14c1cc5cbb1

SHA512
a42b8cbf357f5b294a843dc0a1723057550ba9cc1758f23efb84830a22d68b3222e279e359e6cdd20c14781b2527f8efc1d0c16bb8719b2aec79bc35ea2136e2

Download Submit
\Users\Admin\AppData\Local\Temp\libffi-8.dll

Filesize
32KB

MD5
c262a0d445f9e205965d67c8371a69f5

SHA1
1debd5d11a0b01033028c7ea987cdc8fc47b8e57

SHA256
e689c781dd0619b02f2a06f9a5648c3246927be14eb3475afde74830545df7f3

SHA512
6463003d821e9146ef891d19f0d67e70053ff5f598a5ff76f0cb9b8afffdc4c546f17d73847d901107898b56be034871db6d9171b22a40059c07cc4b7c939300

Download Submit
\Users\Admin\AppData\Local\Temp\libglib-2.0-0.dll

Filesize
100KB

MD5
3330acbcf30e644a13f5b45ec3031576

SHA1
e963a7f61f457d35cf5c06822fc071c88e040b11

SHA256
87621c428bd4a6a609457f590409cc22642dbf10612db3ecff6d81eb82d52d51

SHA512
2d933b940cbf6294f0ccf29c62bc3347b1e09e536ce3b58d2231d6c85c9f38251f390a2b27d3ad046c76df1f0fd62edb0dfb913e61e435a6ea83ac39bcc59747

Download Submit
\Users\Admin\AppData\Local\Temp\libgobject-2.0-0.dll

Filesize
123KB

MD5
73e550c93f38f6d792776a20dfb05245

SHA1
179b3860ee5c69672653c0b76fc04b5bf2475402

SHA256
46b305ba16c912d65052fd356b3f90b483e95d127016de40fd7b4ae47925c5b9

SHA512
8254f0ffa80816b558b8090f15afe7c2c648c8fd933831558feb268ca7750f8515b2f9b90267c446d9252f39bc2695a35a6b616d053b0579f9da079865c69cf6

Download Submit
\Users\Admin\AppData\Local\Temp\libiconv-2.dll

Filesize
86KB

MD5
5587d61f874733f8b8d5b1e4f155883a

SHA1
44b6c99da4874b22a8cd28e1a0fc28436812ae32

SHA256
bd1fa5b4db650ffcfa97580df23717040e16445b024a566bc4175e16b1051796

SHA512
cf9e4eea8f2b149668d11b313f660025a9a6ff897fa552183423e0b20f673ac79b766a52307d24073fa86978c291cb3c63adf841451f746214aceac2f17c48d6

Download Submit
\Users\Admin\AppData\Local\Temp\libintl-8.dll

Filesize
136KB

MD5
9362e3f4836d6a1783fa75a1cdabdad8

SHA1
fcf4e824d62d1ce911964e25c60885c654f8af9c

SHA256
4e4e264b720cf99911c8a75647f50f8a9295c7f3c7eeb152e16b96bc9eaa65ca

SHA512
e8965191666e5d4c727629f8c57a78773f4dba08952efecfe870cf468a649931f54ccee097a5e0ba26b8813b9e223e04013caa67b8c3f94f27000be9fd531bee

Download Submit
\Users\Admin\AppData\Local\Temp\libpcre2-8-0.dll

Filesize
143KB

MD5
4b290d3d2c6b477d6353028160dbfd7e

SHA1
3d0ff986dab033bec20d6be333c79786bc70ffc6

SHA256
906532cde825746a8b215a2accc40bd3e24ddf1cfdd4bc4c7456025eb9bfb85b

SHA512
8ae1810df7405fd4ea27e144baf44c3f899989679cb978a60d1da681a6067ff4ec4ee23753e72c3c0c4bae47502560fec75a75699adb4bb6b3e745b13e5ee065

Download Submit
\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe

Filesize
153KB

MD5
911b8941a98ff6ba42917ee253915cc0

SHA1
f4918a458f4dac632c5ab86dd24c396488715e4f

SHA256
e1de04021d9cc7878684f6f838879909cbd376d81fed493c5acb5d81cb587835

SHA512
86be373a1c7741afd416247afcad62a218c55467b538b9c51d30783e0a37a7b1843268b3690dd0e5b995efa96966d3963d2c888b3ed2dae4eae0684c5ab071f4

Download Submit
memory/2384-1693-0x000000013F540000-0x000000013F58F000-memory.dmp

Filesize
316KB

Download
memory/2384-1699-0x000007FEFB4A0000-0x000007FEFB4B0000-memory.dmp

Filesize
64KB

Download
memory/2384-1694-0x000007FEF66A0000-0x000007FEF6805000-memory.dmp

Filesize
1.4MB

Download
memory/2384-1695-0x000007FEFA9A0000-0x000007FEFA9C9000-memory.dmp

Filesize
164KB

Download
memory/2384-1696-0x000007FEF5C50000-0x000007FEF5D69000-memory.dmp

Filesize
1.1MB

Download
memory/2384-1697-0x000007FEF7470000-0x000007FEF74D7000-memory.dmp

Filesize
412KB

Download
memory/2384-1698-0x000007FEF7210000-0x000007FEF726A000-memory.dmp

Filesize
360KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads