ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
166s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Size

333KB
MD5

db88a1bd11ca3aab7a0890a10a10f45d
SHA1

0e01e118613962e364b76869bcfb9d26cf0a6505
SHA256

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
SHA512

b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023
SSDEEP

6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\odt\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">1c66KuapAhSNOlmcKa7W5FG1TfX0GtRWdeIR9FZx5K6k4Fe/z2nFDTHv9RL2snzeNY5WpcNLoEtGHAYHzMhHExDETL2OgPWjr206jskzrSb7PUapOJBOyG9PSCiheNzd8HkN+735HbcbQYlnzCxQePMbqB/tOZudPqF93/ioABQdy2I31KDp5cQ2TKj9SRdeSFH1XTBpxWoTsopg1Penv+dBY+gTzBk5LZM/6hO8sG9VQasVKlazzv//IjSYd2B7SwZCcDgdyOtave4VXwb+h1jb7EpJ+DXyT2AYLtUSaaS5ePMvrmEOckzVcDQ/6Pzau9CDNCC2K/0ymPrsGakNCPgW2p1H1ncod4FNT9yJL6t/w7UAJx98AijSjE5/raP/ojRUNwy7rTuVkZcLBooo2QyFnjvclUaTlKynqpOU7QxSrEnz+UbI3G6qMYJWsTaBy9jC6W2duG8YiT5IrXkrj322eVB7NSUTBB5TrxnnJgWNbRMHMscY85/Dyn/n8aPie5jnI9kx6Np0diKkdx66PhTwuZDYxa3ReL6ta8GV+0cDiC5GVSISPDQK7HjJO/fqdGJjrb/VUsFYBqUM+g7xDBvjbSuf4WHX4PEbFBNPVuKbH4+ywfooP6F8EsKGG75mYDqcY0AoNcb8W8Z4QP1+S6SQJrC0rec/mypXwDe+HVrnVHETPTb3hR8jJmqOr/6xRyPti91kuEqhRodg6Vna95aQWk+br+LhZc4IieckjdV14buyGvXg1y681eGMAQXlz14aKfwlyhRpQ+xT0iN5Q1jZUJD9pBSCimrukxN6fx8T8TUjoB+pjFgztQu6e0FY6/ZG2SGIulokbl5h1r5xMzjq4tRmGLo2OFsRoTMopgkZ86V78h+hzQAQc92w3zwNXuNyIJl4yttH3a3YTRBa8i1d8BrMh97kfsEe0uAplycs5XsKoqAm36WrScBf1eYM8RU8UJuSAYeAtxlytAC7e6RqYrsX9/IQ8Ek7B5HithhYGMFHBgHt8qi8nHqrEstjt/vQ/oIjaHSVKjN/tiXuuhUKNe3czyEc2OqSFJMknuTbfcDEM9mP8cc6ccNnu8FnGpSOlXcaYkPpgj+n+IEzb+oMbCdHI9TmQXkwg/jAE8bPyygNBI0ClVXGIuu4oJH8e/eDVOBDTo8+HGFzykeAwbn6LFjWtYh86xk+CRwPD/jKiTAsldrtSMOf1O6ZSnUWY1M/WBsRQHnWvDj7KcfriVhBnZ/LiBdBUCDjrWOk0rL4VG58MkHQYlpn0iwGz8JC1H3lO1bPlfC6zgetvnSSj1q5bCwF77cpzyDei3/8zrKoka37oiOUsAhvzaB89mitOwFj81V7mcvzcbVl7dZlnqkc24P6Mmk1wW6IDN+k2Xi7TICs2lWD5MWe2hDB1VpKlueOE4HpZlggoH5Tedgxo/MVoeWnfHmejP/UHAcahWwTmCsK7nJ6c/75v5HWlFMcxFHlVjuKt8xlUNZJA3tudy+ahYdtoOBSuLy0J3dnCcsEuMe3OOmp4B9rWDAR1TGzDGoSGkIl3RSRETPwTN4ETN5bvWL7fjhOazWRhaYV8gdfndPHQ+pm74q7Di5ZQpK60svG2bra5oxTClL3B41SxReCP811Y/BURm2FfKm4slndJZLffYlkagbcF/pfD6BqXoKl6LfurDmP3qgwFAeAcS8gT9UO7DoJOwCJAexu/n8=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4204 created 3376	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	49

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1708	bcdedit.exe
312	bcdedit.exe

Renames multiple (162) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2012	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4408	wbadmin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\J:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\M:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Q:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\S:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\A:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\I:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\U:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\V:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\W:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\X:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Y:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\F:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\L:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\N:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\B:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\H:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\K:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\O:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\P:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\R:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\T:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Z:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\G:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.0\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\Services\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\.version	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pl-PL\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\microsoft shared\TextConv\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\tipresx.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\System\ado\en-US\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1716	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1424	taskkill.exe
2908	taskkill.exe
4932	taskkill.exe
2348	taskkill.exe
4908	taskkill.exe
780	taskkill.exe
4608	taskkill.exe
3360	taskkill.exe
4488	taskkill.exe
2708	taskkill.exe
1132	taskkill.exe
3028	taskkill.exe
1744	taskkill.exe
1808	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3688	WMIC.exe
Token: SeSecurityPrivilege	3688	WMIC.exe
Token: SeTakeOwnershipPrivilege	3688	WMIC.exe
Token: SeLoadDriverPrivilege	3688	WMIC.exe
Token: SeSystemProfilePrivilege	3688	WMIC.exe
Token: SeSystemtimePrivilege	3688	WMIC.exe
Token: SeProfSingleProcessPrivilege	3688	WMIC.exe
Token: SeIncBasePriorityPrivilege	3688	WMIC.exe
Token: SeCreatePagefilePrivilege	3688	WMIC.exe
Token: SeBackupPrivilege	3688	WMIC.exe
Token: SeRestorePrivilege	3688	WMIC.exe
Token: SeShutdownPrivilege	3688	WMIC.exe
Token: SeDebugPrivilege	3688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3688	WMIC.exe
Token: SeRemoteShutdownPrivilege	3688	WMIC.exe
Token: SeUndockPrivilege	3688	WMIC.exe
Token: SeManageVolumePrivilege	3688	WMIC.exe
Token: 33	3688	WMIC.exe
Token: 34	3688	WMIC.exe
Token: 35	3688	WMIC.exe
Token: 36	3688	WMIC.exe
Token: SeBackupPrivilege	3240	vssvc.exe
Token: SeRestorePrivilege	3240	vssvc.exe
Token: SeAuditPrivilege	3240	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 1500	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	96
PID 4204 wrote to memory of 1500	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	96
PID 4204 wrote to memory of 1500	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	96
PID 1500 wrote to memory of 1532	1500	cmd.exe	98
PID 1500 wrote to memory of 1532	1500	cmd.exe	98
PID 4204 wrote to memory of 3624	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	99
PID 4204 wrote to memory of 3624	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	99
PID 4204 wrote to memory of 3624	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	99
PID 3624 wrote to memory of 1536	3624	cmd.exe	101
PID 3624 wrote to memory of 1536	3624	cmd.exe	101
PID 1536 wrote to memory of 1424	1536	cmd.exe	102
PID 1536 wrote to memory of 1424	1536	cmd.exe	102
PID 4204 wrote to memory of 1964	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	103
PID 4204 wrote to memory of 1964	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	103
PID 4204 wrote to memory of 1964	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	103
PID 1964 wrote to memory of 4544	1964	cmd.exe	105
PID 1964 wrote to memory of 4544	1964	cmd.exe	105
PID 4544 wrote to memory of 4608	4544	cmd.exe	106
PID 4544 wrote to memory of 4608	4544	cmd.exe	106
PID 4204 wrote to memory of 2972	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	107
PID 4204 wrote to memory of 2972	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	107
PID 4204 wrote to memory of 2972	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	107
PID 2972 wrote to memory of 3364	2972	cmd.exe	109
PID 2972 wrote to memory of 3364	2972	cmd.exe	109
PID 3364 wrote to memory of 3360	3364	cmd.exe	110
PID 3364 wrote to memory of 3360	3364	cmd.exe	110
PID 4204 wrote to memory of 3084	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	111
PID 4204 wrote to memory of 3084	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	111
PID 4204 wrote to memory of 3084	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	111
PID 3084 wrote to memory of 4644	3084	cmd.exe	113
PID 3084 wrote to memory of 4644	3084	cmd.exe	113
PID 4644 wrote to memory of 3028	4644	cmd.exe	114
PID 4644 wrote to memory of 3028	4644	cmd.exe	114
PID 4204 wrote to memory of 4672	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	115
PID 4204 wrote to memory of 4672	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	115
PID 4204 wrote to memory of 4672	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	115
PID 4672 wrote to memory of 4460	4672	cmd.exe	117
PID 4672 wrote to memory of 4460	4672	cmd.exe	117
PID 4460 wrote to memory of 2908	4460	cmd.exe	118
PID 4460 wrote to memory of 2908	4460	cmd.exe	118
PID 4204 wrote to memory of 1484	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	119
PID 4204 wrote to memory of 1484	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	119
PID 4204 wrote to memory of 1484	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	119
PID 1484 wrote to memory of 2668	1484	cmd.exe	121
PID 1484 wrote to memory of 2668	1484	cmd.exe	121
PID 2668 wrote to memory of 4488	2668	cmd.exe	122
PID 2668 wrote to memory of 4488	2668	cmd.exe	122
PID 4204 wrote to memory of 5028	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	123
PID 4204 wrote to memory of 5028	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	123
PID 4204 wrote to memory of 5028	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	123
PID 5028 wrote to memory of 4416	5028	cmd.exe	125
PID 5028 wrote to memory of 4416	5028	cmd.exe	125
PID 4416 wrote to memory of 1744	4416	cmd.exe	126
PID 4416 wrote to memory of 1744	4416	cmd.exe	126
PID 4204 wrote to memory of 2992	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	127
PID 4204 wrote to memory of 2992	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	127
PID 4204 wrote to memory of 2992	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	127
PID 2992 wrote to memory of 3852	2992	cmd.exe	129
PID 2992 wrote to memory of 3852	2992	cmd.exe	129
PID 3852 wrote to memory of 4932	3852	cmd.exe	130
PID 3852 wrote to memory of 4932	3852	cmd.exe	130
PID 4204 wrote to memory of 4648	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	131
PID 4204 wrote to memory of 4648	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	131
PID 4204 wrote to memory of 4648	4204	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	131

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
  "C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4460
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4416
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:4648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:3792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:3064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:320
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2680
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:8
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:1220
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:3656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:700
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:856
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:780
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:3180
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2184
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:2540
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:1984
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:4804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:756
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:3916
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:5080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:4104
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:3028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:4460
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1036
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:3888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:4372
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:1484
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:4108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1476
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:2444
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:3224
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:4788
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:4640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:1600
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:4744
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:4752
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:3792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:1700
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:4408
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:4648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2544
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:1808
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:312
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:3516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2680
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1708
- C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -network
  2⤵
  - System policy modification
  PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\How_to_back_files.html

Filesize
5KB

MD5
c8cc02378c40dd46e24a5f14852444cf

SHA1
0a304c88c3a01fc2d582e75bc3887dcc2c91ae5a

SHA256
9391f3fd9555bc2fe231d391d76d73387a738c40884c7aee5d5f0bf298d92f4b

SHA512
1a92b8203bce2a9de4b05ffea29f44f1f63551a1b5dc15290ac5c9b484d4c4e7feeebacd122d747805c90323f21993b385c8f4bd1894e5a694b0d5961aa9a8aa

Download Submit