de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e

General

Target

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
Size

6.0MB
MD5

df472f90c33e6c341a74fe1ca29dac70
SHA1

d7512488de06b677751014bdc48302c179542558
SHA256

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e
SHA512

4257e88d9c6f5eec59d1da6749c386b3859be04159ec37aba2adb3704e5f2ce11ef3adfb086b86d1bea03db300e1d82cab08f266cf6fae4d8f929e71918ddcf9

Score

9^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Drops startup file 1 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2820 icacls.exe

pid	process
2820	icacls.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe

pid process

656 de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe

Drops file in Program Files directory 11925 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.contrast-white_scale-100.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\MusicStoreLogo.scale-200_contrast-white.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Content\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.properties	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Resources\RequiredPrintCapabilities.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\images\OfficeIcon.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\PSS10O.CHM	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Oval.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.smile.small.scale-200.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jfr\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_BG-BG.respack	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\README.txt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HeroHelp\Scenario2.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-150.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\13s.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\MSBuild\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-125.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\SmallTile.scale-125.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionLargeTile.scale-200.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-100_8wekyb3d8bbwe\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\TriPeaks\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-400.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_10h.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Google\Chrome\Application\86.0.4240.111\default_apps\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.White.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.ELM	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\ResetCoord.scale-180.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10910_40x40x32.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\SmallTile.scale-125.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\mask\12s.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3392 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3128 vssadmin.exe

pid	process
3392	schtasks.exe

pid	process
3128	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 112 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe

pid	process
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	536	vssvc.exe
Token: SeRestorePrivilege	536	vssvc.exe
Token: SeAuditPrivilege	536	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3872	WMIC.exe
Token: SeSecurityPrivilege	3872	WMIC.exe
Token: SeTakeOwnershipPrivilege	3872	WMIC.exe
Token: SeLoadDriverPrivilege	3872	WMIC.exe
Token: SeSystemProfilePrivilege	3872	WMIC.exe
Token: SeSystemtimePrivilege	3872	WMIC.exe
Token: SeProfSingleProcessPrivilege	3872	WMIC.exe
Token: SeIncBasePriorityPrivilege	3872	WMIC.exe
Token: SeCreatePagefilePrivilege	3872	WMIC.exe
Token: SeBackupPrivilege	3872	WMIC.exe
Token: SeRestorePrivilege	3872	WMIC.exe
Token: SeShutdownPrivilege	3872	WMIC.exe
Token: SeDebugPrivilege	3872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3872	WMIC.exe
Token: SeRemoteShutdownPrivilege	3872	WMIC.exe
Token: SeUndockPrivilege	3872	WMIC.exe
Token: SeManageVolumePrivilege	3872	WMIC.exe
Token: 33	3872	WMIC.exe
Token: 34	3872	WMIC.exe
Token: 35	3872	WMIC.exe
Token: 36	3872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3872	WMIC.exe
Token: SeSecurityPrivilege	3872	WMIC.exe
Token: SeTakeOwnershipPrivilege	3872	WMIC.exe
Token: SeLoadDriverPrivilege	3872	WMIC.exe
Token: SeSystemProfilePrivilege	3872	WMIC.exe
Token: SeSystemtimePrivilege	3872	WMIC.exe
Token: SeProfSingleProcessPrivilege	3872	WMIC.exe
Token: SeIncBasePriorityPrivilege	3872	WMIC.exe
Token: SeCreatePagefilePrivilege	3872	WMIC.exe
Token: SeBackupPrivilege	3872	WMIC.exe
Token: SeRestorePrivilege	3872	WMIC.exe
Token: SeShutdownPrivilege	3872	WMIC.exe
Token: SeDebugPrivilege	3872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3872	WMIC.exe
Token: SeRemoteShutdownPrivilege	3872	WMIC.exe
Token: SeUndockPrivilege	3872	WMIC.exe
Token: SeManageVolumePrivilege	3872	WMIC.exe
Token: 33	3872	WMIC.exe
Token: 34	3872	WMIC.exe
Token: 35	3872	WMIC.exe
Token: 36	3872	WMIC.exe

Suspicious use of WriteProcessMemory 78 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 656 wrote to memory of 3196	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 3196	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 3196	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 3196 wrote to memory of 3392	3196	cmd.exe	schtasks.exe
PID 3196 wrote to memory of 3392	3196	cmd.exe	schtasks.exe
PID 3196 wrote to memory of 3392	3196	cmd.exe	schtasks.exe
PID 656 wrote to memory of 2536	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 2536	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 2536	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 2536 wrote to memory of 2928	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2928	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2928	2536	cmd.exe	reg.exe
PID 656 wrote to memory of 648	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 648	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 648	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 648 wrote to memory of 420	648	cmd.exe	reg.exe
PID 648 wrote to memory of 420	648	cmd.exe	reg.exe
PID 648 wrote to memory of 420	648	cmd.exe	reg.exe
PID 656 wrote to memory of 588	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 588	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 588	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 588 wrote to memory of 204	588	cmd.exe	reg.exe
PID 588 wrote to memory of 204	588	cmd.exe	reg.exe
PID 588 wrote to memory of 204	588	cmd.exe	reg.exe
PID 656 wrote to memory of 184	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 184	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 184	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 184 wrote to memory of 516	184	cmd.exe	reg.exe
PID 184 wrote to memory of 516	184	cmd.exe	reg.exe
PID 184 wrote to memory of 516	184	cmd.exe	reg.exe
PID 656 wrote to memory of 1760	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 1760	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 1760	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 1760 wrote to memory of 1956	1760	cmd.exe	reg.exe
PID 1760 wrote to memory of 1956	1760	cmd.exe	reg.exe
PID 1760 wrote to memory of 1956	1760	cmd.exe	reg.exe
PID 656 wrote to memory of 2316	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 2316	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 2316	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 2316 wrote to memory of 3548	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 3548	2316	cmd.exe	reg.exe
PID 2316 wrote to memory of 3548	2316	cmd.exe	reg.exe
PID 656 wrote to memory of 1332	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 1332	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 1332	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 1332 wrote to memory of 3044	1332	cmd.exe	reg.exe
PID 1332 wrote to memory of 3044	1332	cmd.exe	reg.exe
PID 1332 wrote to memory of 3044	1332	cmd.exe	reg.exe
PID 656 wrote to memory of 4024	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 4024	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 4024	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 4024 wrote to memory of 1344	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 1344	4024	cmd.exe	reg.exe
PID 4024 wrote to memory of 1344	4024	cmd.exe	reg.exe
PID 656 wrote to memory of 2612	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 2612	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 656 wrote to memory of 2612	656	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe	cmd.exe
PID 2612 wrote to memory of 3724	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 3724	2612	cmd.exe	cmd.exe
PID 2612 wrote to memory of 3724	2612	cmd.exe	cmd.exe
PID 3724 wrote to memory of 3128	3724	cmd.exe	vssadmin.exe
PID 3724 wrote to memory of 3128	3724	cmd.exe	vssadmin.exe
PID 3724 wrote to memory of 3128	3724	cmd.exe	vssadmin.exe
PID 2612 wrote to memory of 3872	2612	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe
"C:\Users\Admin\AppData\Local\Temp\de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.bin.exe"
1⤵
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR %temp%/FonixCrypter.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\Users\Admin\AppData\Local\Temp/FonixCrypter.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
3⤵
- Adds Run key to start application
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
3⤵
- Adds Run key to start application
PID:420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
3⤵
- Adds Run key to start application
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:184

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
3⤵
- Adds Run key to start application
PID:516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet/ & icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:3128

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Modifies file permissions
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpriv.key %appdata%\Cpriv.key
2⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpub.key %appdata%\Cpub.key
2⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy SystemID %appdata%\SystemID
2⤵
PID:4016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:536

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File Deletion

2

T1107

File Permissions Modification

1

T1222

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cpriv.key
MD5
8ce08b533e91855c792e3be1cf5516e1

SHA1
58a009307d684a23852065c6adc042fa85dc8d05

SHA256
76ee371f2d5cf5aaeb05755d2edd5c0f1a7336118928499e1869df854d5975e8

SHA512
cec685ea142354f1549c564238fd48e6c44525bc1cd62c43c2f89b71c77273b4581daabba83dc8d33ae9d0aa7c04e7b039757f079f893bef0fe71f1fa6440610

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpub.key
MD5
c65012cdbbfee0b3dfd907c22e34f0fd

SHA1
56f4d0d16eec4d975be94ba8f11c1603b61632ac

SHA256
bff3cec36290a3877b85de2afdc2081046d8307b029e52b2a0c185032f65a623

SHA512
e198231f15f6b4d12bbc21430292393da935b2d47d5cd0b17d120451e5ab34bf7dfbcbf863d6d5617901f47e90681b60bb47b99d374fc41f9dbd62faf0ee60f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemID
MD5
f9098c590680e3f168ee2f1f29b57524

SHA1
da477ac775f74dbbcda0755b0189684c07ce7278

SHA256
a6139df262ba042d8e3576ef97988773038b3068c04eae523365fc253491fd27

SHA512
b4867daa2b279ebac8246c9b3616154a1fcbf67bed02c50729e607473e76735f282390123ee95eacd55ef6604da1dd17dbfc2f29eed9ec45f498b424da964016

Download Submit
C:\Users\Admin\AppData\Roaming\Cpriv.key
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Cpriv.key
MD5
8ce08b533e91855c792e3be1cf5516e1

SHA1
58a009307d684a23852065c6adc042fa85dc8d05

SHA256
76ee371f2d5cf5aaeb05755d2edd5c0f1a7336118928499e1869df854d5975e8

SHA512
cec685ea142354f1549c564238fd48e6c44525bc1cd62c43c2f89b71c77273b4581daabba83dc8d33ae9d0aa7c04e7b039757f079f893bef0fe71f1fa6440610

Download Submit
C:\Users\Admin\AppData\Roaming\Cpub.key
MD5
c65012cdbbfee0b3dfd907c22e34f0fd

SHA1
56f4d0d16eec4d975be94ba8f11c1603b61632ac

SHA256
bff3cec36290a3877b85de2afdc2081046d8307b029e52b2a0c185032f65a623

SHA512
e198231f15f6b4d12bbc21430292393da935b2d47d5cd0b17d120451e5ab34bf7dfbcbf863d6d5617901f47e90681b60bb47b99d374fc41f9dbd62faf0ee60f0

Download Submit
C:\Users\Admin\AppData\Roaming\Cpub.key
MD5
c65012cdbbfee0b3dfd907c22e34f0fd

SHA1
56f4d0d16eec4d975be94ba8f11c1603b61632ac

SHA256
bff3cec36290a3877b85de2afdc2081046d8307b029e52b2a0c185032f65a623

SHA512
e198231f15f6b4d12bbc21430292393da935b2d47d5cd0b17d120451e5ab34bf7dfbcbf863d6d5617901f47e90681b60bb47b99d374fc41f9dbd62faf0ee60f0

Download Submit
C:\Users\Admin\AppData\Roaming\SystemID
MD5
f9098c590680e3f168ee2f1f29b57524

SHA1
da477ac775f74dbbcda0755b0189684c07ce7278

SHA256
a6139df262ba042d8e3576ef97988773038b3068c04eae523365fc253491fd27

SHA512
b4867daa2b279ebac8246c9b3616154a1fcbf67bed02c50729e607473e76735f282390123ee95eacd55ef6604da1dd17dbfc2f29eed9ec45f498b424da964016

Download Submit
memory/184-8-0x0000000000000000-mapping.dmp

Download
memory/204-7-0x0000000000000000-mapping.dmp

Download
memory/420-5-0x0000000000000000-mapping.dmp

Download
memory/516-9-0x0000000000000000-mapping.dmp

Download
memory/588-6-0x0000000000000000-mapping.dmp

Download
memory/648-4-0x0000000000000000-mapping.dmp

Download
memory/656-18-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/656-19-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/656-20-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/656-41-0x0000000003F40000-0x0000000003F41000-memory.dmp

Filesize
4KB

Download
memory/656-42-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/1148-133-0x0000000000000000-mapping.dmp

Download
memory/1332-14-0x0000000000000000-mapping.dmp

Download
memory/1344-17-0x0000000000000000-mapping.dmp

Download
memory/1760-10-0x0000000000000000-mapping.dmp

Download
memory/1956-11-0x0000000000000000-mapping.dmp

Download
memory/2316-12-0x0000000000000000-mapping.dmp

Download
memory/2536-2-0x0000000000000000-mapping.dmp

Download
memory/2612-128-0x0000000000000000-mapping.dmp

Download
memory/2820-132-0x0000000000000000-mapping.dmp

Download
memory/2928-3-0x0000000000000000-mapping.dmp

Download
memory/3044-15-0x0000000000000000-mapping.dmp

Download
memory/3128-130-0x0000000000000000-mapping.dmp

Download
memory/3196-0-0x0000000000000000-mapping.dmp

Download
memory/3216-136-0x0000000000000000-mapping.dmp

Download
memory/3392-1-0x0000000000000000-mapping.dmp

Download
memory/3548-13-0x0000000000000000-mapping.dmp

Download
memory/3724-129-0x0000000000000000-mapping.dmp

Download
memory/3872-131-0x0000000000000000-mapping.dmp

Download
memory/4016-139-0x0000000000000000-mapping.dmp

Download
memory/4024-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads