Resubmissions
12-01-2022 14:09
220112-rgdpqacghr 1012-01-2022 14:06
220112-rertkacga3 1012-01-2022 14:00
220112-rbg5yscfh2 10Analysis
-
max time kernel
128s -
max time network
131s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe
Resource
win7-en-20211208
General
-
Target
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe
-
Size
3.8MB
-
MD5
32bd8e6843879a761e6fa9436a90bb66
-
SHA1
26dde522d6f3f87ac982495028494c7f50799696
-
SHA256
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
-
SHA512
c7e437c61980385ce57fe2a0dc0988aeba4609ac1ac7b7c07951c10c6bc38772c7ad1442571ab6409c8ea04991844e7ad95b5a9b35e31996f7aad9db4020716f
Malware Config
Extracted
C:\Program Files\7-Zip\rFSH_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 376 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1096 bcdedit.exe 1788 bcdedit.exe -
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\ExitTrace.png => C:\Users\Admin\Pictures\ExitTrace.png.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\ExportSearch.tiff => C:\Users\Admin\Pictures\ExportSearch.tiff.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\InstallUnregister.tiff => C:\Users\Admin\Pictures\InstallUnregister.tiff.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\InstallUnregister.tiff.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\SelectSearch.tif.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\WaitExit.raw => C:\Users\Admin\Pictures\WaitExit.raw.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ExitTrace.png.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ExportSearch.tiff.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\SelectSearch.tif => C:\Users\Admin\Pictures\SelectSearch.tif.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\WaitExit.raw.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exedescription ioc process File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOVEL.WAV.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\RequestPublish.html.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152890.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21527_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02233_.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_F_COL.HXK.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\NOTE.CFG.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QUIKPUBS.POC.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\calendar.js 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\12.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgRes.dll.mui.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01139_.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\msdaorar.dll.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01905_.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_zh_CN.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DVDHM.POC.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\TURABIAN.XSL.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\vlc.mo.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\FAXEXT.ECF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Oslo.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Andorra.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151063.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME25.CSS.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00256_.WMF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\header.gif.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html.mj8BSwxv3tCgWLiiN268gs5_smliftOvVJlGlxoPCSb_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1712 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2564 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exepid process 2080 powershell.exe 2172 powershell.exe 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 272 wevtutil.exe Token: SeBackupPrivilege 272 wevtutil.exe Token: SeSecurityPrivilege 1592 wevtutil.exe Token: SeBackupPrivilege 1592 wevtutil.exe Token: SeSecurityPrivilege 1632 wevtutil.exe Token: SeBackupPrivilege 1632 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1480 wmic.exe Token: SeSecurityPrivilege 1480 wmic.exe Token: SeTakeOwnershipPrivilege 1480 wmic.exe Token: SeLoadDriverPrivilege 1480 wmic.exe Token: SeSystemProfilePrivilege 1480 wmic.exe Token: SeSystemtimePrivilege 1480 wmic.exe Token: SeProfSingleProcessPrivilege 1480 wmic.exe Token: SeIncBasePriorityPrivilege 1480 wmic.exe Token: SeCreatePagefilePrivilege 1480 wmic.exe Token: SeBackupPrivilege 1480 wmic.exe Token: SeRestorePrivilege 1480 wmic.exe Token: SeShutdownPrivilege 1480 wmic.exe Token: SeDebugPrivilege 1480 wmic.exe Token: SeSystemEnvironmentPrivilege 1480 wmic.exe Token: SeRemoteShutdownPrivilege 1480 wmic.exe Token: SeUndockPrivilege 1480 wmic.exe Token: SeManageVolumePrivilege 1480 wmic.exe Token: 33 1480 wmic.exe Token: 34 1480 wmic.exe Token: 35 1480 wmic.exe Token: SeIncreaseQuotaPrivilege 588 wmic.exe Token: SeSecurityPrivilege 588 wmic.exe Token: SeTakeOwnershipPrivilege 588 wmic.exe Token: SeLoadDriverPrivilege 588 wmic.exe Token: SeSystemProfilePrivilege 588 wmic.exe Token: SeSystemtimePrivilege 588 wmic.exe Token: SeProfSingleProcessPrivilege 588 wmic.exe Token: SeIncBasePriorityPrivilege 588 wmic.exe Token: SeCreatePagefilePrivilege 588 wmic.exe Token: SeBackupPrivilege 588 wmic.exe Token: SeRestorePrivilege 588 wmic.exe Token: SeShutdownPrivilege 588 wmic.exe Token: SeDebugPrivilege 588 wmic.exe Token: SeSystemEnvironmentPrivilege 588 wmic.exe Token: SeRemoteShutdownPrivilege 588 wmic.exe Token: SeUndockPrivilege 588 wmic.exe Token: SeManageVolumePrivilege 588 wmic.exe Token: 33 588 wmic.exe Token: 34 588 wmic.exe Token: 35 588 wmic.exe Token: SeIncreaseQuotaPrivilege 588 wmic.exe Token: SeSecurityPrivilege 588 wmic.exe Token: SeTakeOwnershipPrivilege 588 wmic.exe Token: SeLoadDriverPrivilege 588 wmic.exe Token: SeSystemProfilePrivilege 588 wmic.exe Token: SeSystemtimePrivilege 588 wmic.exe Token: SeProfSingleProcessPrivilege 588 wmic.exe Token: SeIncBasePriorityPrivilege 588 wmic.exe Token: SeCreatePagefilePrivilege 588 wmic.exe Token: SeBackupPrivilege 588 wmic.exe Token: SeRestorePrivilege 588 wmic.exe Token: SeShutdownPrivilege 588 wmic.exe Token: SeDebugPrivilege 588 wmic.exe Token: SeSystemEnvironmentPrivilege 588 wmic.exe Token: SeRemoteShutdownPrivilege 588 wmic.exe Token: SeUndockPrivilege 588 wmic.exe Token: SeManageVolumePrivilege 588 wmic.exe Token: 33 588 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1220 wrote to memory of 1756 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1756 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1756 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1756 wrote to memory of 524 1756 net.exe net1.exe PID 1756 wrote to memory of 524 1756 net.exe net1.exe PID 1756 wrote to memory of 524 1756 net.exe net1.exe PID 1220 wrote to memory of 664 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 664 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 664 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 664 wrote to memory of 760 664 net.exe net1.exe PID 664 wrote to memory of 760 664 net.exe net1.exe PID 664 wrote to memory of 760 664 net.exe net1.exe PID 1220 wrote to memory of 860 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 860 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 860 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 860 wrote to memory of 800 860 net.exe net1.exe PID 860 wrote to memory of 800 860 net.exe net1.exe PID 860 wrote to memory of 800 860 net.exe net1.exe PID 1220 wrote to memory of 1464 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1464 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1464 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1464 wrote to memory of 1680 1464 net.exe net1.exe PID 1464 wrote to memory of 1680 1464 net.exe net1.exe PID 1464 wrote to memory of 1680 1464 net.exe net1.exe PID 1220 wrote to memory of 864 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 864 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 864 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 864 wrote to memory of 628 864 net.exe net1.exe PID 864 wrote to memory of 628 864 net.exe net1.exe PID 864 wrote to memory of 628 864 net.exe net1.exe PID 1220 wrote to memory of 1768 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1768 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1768 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1768 wrote to memory of 396 1768 net.exe net1.exe PID 1768 wrote to memory of 396 1768 net.exe net1.exe PID 1768 wrote to memory of 396 1768 net.exe net1.exe PID 1220 wrote to memory of 1108 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1108 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1108 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1108 wrote to memory of 1100 1108 net.exe net1.exe PID 1108 wrote to memory of 1100 1108 net.exe net1.exe PID 1108 wrote to memory of 1100 1108 net.exe net1.exe PID 1220 wrote to memory of 1056 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1056 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1220 wrote to memory of 1056 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1056 wrote to memory of 1808 1056 net.exe net1.exe PID 1056 wrote to memory of 1808 1056 net.exe net1.exe PID 1056 wrote to memory of 1808 1056 net.exe net1.exe PID 1220 wrote to memory of 1360 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1360 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1360 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1608 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1608 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1608 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1276 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1276 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1276 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1028 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1028 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1028 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1784 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1784 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 1784 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 1220 wrote to memory of 832 1220 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:524
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:760
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:800
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1680
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:628
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:396
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1100
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1808
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1360
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1608
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1276
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1028
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1784
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:832
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1772
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1908
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:928
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1588
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:852
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1732
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1192
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:472
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:768
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1496
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1680
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:748
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:984
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1120
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1180
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1996
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1196
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:680
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2008
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1272
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:524
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1628
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1688
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:676
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1212
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2012
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:904
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1708
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1596
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1116 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1676
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1712 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:272 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:588 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1096 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1788 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1344
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:376 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2152
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Windows\system32\notepad.exenotepad.exe C:\rFSH_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2564 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"2⤵PID:2572
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5a208b721a482c583e8aec4a58ffafba8
SHA1fe96cf43bdaae291dac88081333f65a01a224254
SHA2567f65f66220e8b56c91d69e2c1b2510d80b5ee84da47e0119f75e224d3eef2796
SHA512129b3dc4d9f91a1b3c5bcee1e2bf1ae35f57afab05f1019e6aebd8b080c6a93e3f41121de526e6d801bffb3fdc527a0c01f8366ce30b26471c54c6fc5c268475
-
MD5
9feb836dd50f68cbf9e87dad21a2fbc4
SHA1f995609d7ea8a22383c8f28e2ac9b657fa767019
SHA256773b3349fdbb3a90decde363815564f1eb0be1549650ec3cfd3f785f27e3d88e
SHA512123db92c2616a2f913c91c6811cf8a375b69b3d71d40ab2633ca298cfda0aa863a3a3f106096f01cbfa01b7f0e56693babf04b1f7f0d7e90b405c9cf54147748