phobos | 0c3f82d1f30a53fb34d63ab9ef7a964ee085059941642d0226fd34ba4f3184c6

General

Target

YxaezL5DP1ISnOG.exe
Size

208KB
MD5

4ba613da5bba6b5079b25dce5c6d90fc
SHA1

03365a85123e07eaab5019e92a23cf6d423c81cf
SHA256

0c3f82d1f30a53fb34d63ab9ef7a964ee085059941642d0226fd34ba4f3184c6
SHA512

a6d5ee3ca473473748d2b9a8e1f838b5b25b4d72b3310529a75f2483b847eec27e1118695d53cef0714e02eefdb2b8d71f180721907062f7a7c6ea3f6e44da55

Score

10^/10

ransomware evasion persistence spyware phobos

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1816 bcdedit.exe
824 bcdedit.exe

pid	process
1816	bcdedit.exe
824	bcdedit.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

YxaezL5DP1ISnOG.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YxaezL5DP1ISnOG = "C:\\Users\\Admin\\AppData\\Local\\YxaezL5DP1ISnOG.exe"	YxaezL5DP1ISnOG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\YxaezL5DP1ISnOG = "C:\\Users\\Admin\\AppData\\Local\\YxaezL5DP1ISnOG.exe"	YxaezL5DP1ISnOG.exe

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

YxaezL5DP1ISnOG.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	1864	YxaezL5DP1ISnOG.exe
Token: SeBackupPrivilege	1608	vssvc.exe
Token: SeRestorePrivilege	1608	vssvc.exe
Token: SeAuditPrivilege	1608	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2020	WMIC.exe
Token: SeSecurityPrivilege	2020	WMIC.exe
Token: SeTakeOwnershipPrivilege	2020	WMIC.exe
Token: SeLoadDriverPrivilege	2020	WMIC.exe
Token: SeSystemProfilePrivilege	2020	WMIC.exe
Token: SeSystemtimePrivilege	2020	WMIC.exe
Token: SeProfSingleProcessPrivilege	2020	WMIC.exe
Token: SeIncBasePriorityPrivilege	2020	WMIC.exe
Token: SeCreatePagefilePrivilege	2020	WMIC.exe
Token: SeBackupPrivilege	2020	WMIC.exe
Token: SeRestorePrivilege	2020	WMIC.exe
Token: SeShutdownPrivilege	2020	WMIC.exe
Token: SeDebugPrivilege	2020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2020	WMIC.exe
Token: SeRemoteShutdownPrivilege	2020	WMIC.exe
Token: SeUndockPrivilege	2020	WMIC.exe
Token: SeManageVolumePrivilege	2020	WMIC.exe
Token: 33	2020	WMIC.exe
Token: 34	2020	WMIC.exe
Token: 35	2020	WMIC.exe
Token: SeBackupPrivilege	1692	wbengine.exe
Token: SeRestorePrivilege	1692	wbengine.exe
Token: SeSecurityPrivilege	1692	wbengine.exe

Deletes system backup catalog 2 TTPs
Ransomware often tries to delete backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops startup file 3 IoCs

Processes:

YxaezL5DP1ISnOG.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	YxaezL5DP1ISnOG.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

YxaezL5DP1ISnOG.exeYxaezL5DP1ISnOG.execmd.exeYxaezL5DP1ISnOG.exe

description	pid	process	target process
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1492 wrote to memory of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1864 wrote to memory of 268	1864	YxaezL5DP1ISnOG.exe	cmd.exe
PID 1864 wrote to memory of 268	1864	YxaezL5DP1ISnOG.exe	cmd.exe
PID 1864 wrote to memory of 268	1864	YxaezL5DP1ISnOG.exe	cmd.exe
PID 1864 wrote to memory of 268	1864	YxaezL5DP1ISnOG.exe	cmd.exe
PID 268 wrote to memory of 1248	268	cmd.exe	vssadmin.exe
PID 268 wrote to memory of 1248	268	cmd.exe	vssadmin.exe
PID 268 wrote to memory of 1248	268	cmd.exe	vssadmin.exe
PID 268 wrote to memory of 2020	268	cmd.exe	WMIC.exe
PID 268 wrote to memory of 2020	268	cmd.exe	WMIC.exe
PID 268 wrote to memory of 2020	268	cmd.exe	WMIC.exe
PID 268 wrote to memory of 1816	268	cmd.exe	bcdedit.exe
PID 268 wrote to memory of 1816	268	cmd.exe	bcdedit.exe
PID 268 wrote to memory of 1816	268	cmd.exe	bcdedit.exe
PID 268 wrote to memory of 824	268	cmd.exe	bcdedit.exe
PID 268 wrote to memory of 824	268	cmd.exe	bcdedit.exe
PID 268 wrote to memory of 824	268	cmd.exe	bcdedit.exe
PID 268 wrote to memory of 820	268	cmd.exe	wbadmin.exe
PID 268 wrote to memory of 820	268	cmd.exe	wbadmin.exe
PID 268 wrote to memory of 820	268	cmd.exe	wbadmin.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 wrote to memory of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

YxaezL5DP1ISnOG.exeYxaezL5DP1ISnOG.exe

description	pid	process	target process
PID 1492 set thread context of 1864	1492	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe
PID 1836 set thread context of 1276	1836	YxaezL5DP1ISnOG.exe	YxaezL5DP1ISnOG.exe

Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

820 wbadmin.exe

pid	process
820	wbadmin.exe

Drops desktop.ini file(s) 61 IoCs

Processes:

YxaezL5DP1ISnOG.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OT4YD26O\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1IGGBW8Z\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5Q8AAMSB\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\LUBVL9MG\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZDAW0I3Y\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\557LH6Z9\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XGJ27KX4\desktop.ini	YxaezL5DP1ISnOG.exe

Suspicious behavior: EnumeratesProcesses 209 IoCs

Processes:

YxaezL5DP1ISnOG.exe

pid	process
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe
1864	YxaezL5DP1ISnOG.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1248 vssadmin.exe

pid	process
1248	vssadmin.exe

Drops file in Program Files directory 19446 IoCs

Processes:

YxaezL5DP1ISnOG.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152594.WMF.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue.css.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_pressed.gif	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00183_.WMF.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01751_.GIF	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14984_.GIF	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE03451_.WMF.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GRINTL32.DLL.IDX_DLL	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IPDESIGN.DLL.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBWIZ\PS2SWOOS.POC.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Smart Tag\METCONV.TXT.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21534_.GIF	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR42F.GIF.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left.gif	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mpjpeg_plugin.dll.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msadox.dll	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif	YxaezL5DP1ISnOG.exe
File created	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115863.GIF.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6F.GIF	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\Office14\FORMS\1033\EXITEML.ICO.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSTORES.DLL	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\librawdv_plugin.dll.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_ja.dll	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BS00443_.WMF	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange.css	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGMN044.XML.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\ContemporaryPhotoAlbum.potx	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107148.WMF	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0237225.WMF.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Java\jre7\bin\msvcr100.dll.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\OIS_COL.HXC	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\POSTIT.CFG	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_ButtonGraphic.png	YxaezL5DP1ISnOG.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5F.GIF.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe
File created	C:\Program Files\Microsoft Office\Office14\FORMS\1033\DISTLSTS.ICO.id[43862FAE-2275].[[email protected]].help	YxaezL5DP1ISnOG.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\YxaezL5DP1ISnOG.exe
"C:\Users\Admin\AppData\Local\Temp\YxaezL5DP1ISnOG.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1492

C:\Users\Admin\AppData\Local\Temp\YxaezL5DP1ISnOG.exe
"{path}"
2⤵
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Drops startup file
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
PID:1864

C:\Users\Admin\AppData\Local\Temp\YxaezL5DP1ISnOG.exe
"C:\Users\Admin\AppData\Local\Temp\YxaezL5DP1ISnOG.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1836

C:\Users\Admin\AppData\Local\Temp\YxaezL5DP1ISnOG.exe
"{path}"
4⤵
PID:1276

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1248

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1816

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:824

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:892

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:644

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Deletion

4

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

5

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-5-0x0000000000000000-mapping.dmp

Download
memory/820-10-0x0000000000000000-mapping.dmp

Download
memory/824-9-0x0000000000000000-mapping.dmp

Download
memory/1248-6-0x0000000000000000-mapping.dmp

Download
memory/1276-14-0x0000000000402E94-mapping.dmp

Download
memory/1492-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1816-8-0x0000000000000000-mapping.dmp

Download
memory/1864-2-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1864-3-0x0000000000402E94-mapping.dmp

Download
memory/1864-4-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2020-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads