Resubmissions
17-01-2021 17:20
210117-42l4186m4a 1017-01-2021 17:16
210117-436yb29wwa 1011-01-2021 07:41
210111-s6ytr1ebc2 10Analysis
-
max time kernel
151s -
max time network
24s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-01-2021 07:41
Static task
static1
Behavioral task
behavioral1
Sample
6275a839b5071bf445539c8652d2b13b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6275a839b5071bf445539c8652d2b13b.exe
Resource
win10v20201028
General
-
Target
6275a839b5071bf445539c8652d2b13b.exe
-
Size
1.0MB
-
MD5
6275a839b5071bf445539c8652d2b13b
-
SHA1
1e0946ea29e3eca33384ccab5a627d778a6e612d
-
SHA256
f0aec57001a184ea82122a59c6e5be48042f75d6f11a40125995ba9531aab718
-
SHA512
f31006c16dc31548283a4434ee4e13e878a24d10c1963d6b81083862a8cd544004612886e77774e3072481fee0411665d6db6ca8d5e25b9e8e72e7252603d677
Malware Config
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1744 bcdedit.exe 924 bcdedit.exe -
Processes:
wbadmin.exepid process 436 wbadmin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6275a839b5071bf445539c8652d2b13b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldfwV = "C:\\Users\\Admin\\ldfwV.url" 6275a839b5071bf445539c8652d2b13b.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
ieinstal.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini ieinstal.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini ieinstal.exe File opened for modification C:\Program Files\desktop.ini ieinstal.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini ieinstal.exe File opened for modification C:\Program Files (x86)\desktop.ini ieinstal.exe -
Drops file in Program Files directory 12654 IoCs
Processes:
ieinstal.exedescription ioc process File created C:\Program Files\Java\jre7\lib\zi\Asia\Damascus.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll ieinstal.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\extensibility.dll ieinstal.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jre7\lib\zi\America\Thule.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_orange.png ieinstal.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUI.XML ieinstal.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf ieinstal.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar ieinstal.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00726_.WMF.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238333.WMF ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239953.WMF ieinstal.exe File opened for modification C:\Program Files (x86)\Internet Explorer\DiagnosticsTap.dll ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187647.WMF ieinstal.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sendopts.jar ieinstal.exe File created C:\Program Files\Java\jre7\COPYRIGHT.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jre7\lib\ext\dnsns.jar.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jre7\lib\jfxrt.jar.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\SETUP.XML.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OSetupPS.dll.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif ieinstal.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jre7\bin\dt_socket.dll.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00524_.WMF ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00799_.WMF ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP ieinstal.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll ieinstal.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html ieinstal.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll ieinstal.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.SYD.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099179.WMF ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2iexp.dll ieinstal.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Pitcairn.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\mip.exe.mui ieinstal.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_sr.dll ieinstal.exe File created C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll ieinstal.exe File opened for modification C:\Program Files\Windows Journal\Templates\Genko_2.jtp ieinstal.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll ieinstal.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider.png ieinstal.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00546_.WMF.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF ieinstal.exe File opened for modification C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui ieinstal.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.id[EC32CAC3-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm ieinstal.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 516 vssadmin.exe -
Processes:
6275a839b5071bf445539c8652d2b13b.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 6275a839b5071bf445539c8652d2b13b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 6275a839b5071bf445539c8652d2b13b.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 14 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 13 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 213 IoCs
Processes:
ieinstal.exepid process 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe 1504 ieinstal.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
ieinstal.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1504 ieinstal.exe Token: SeBackupPrivilege 1648 vssvc.exe Token: SeRestorePrivilege 1648 vssvc.exe Token: SeAuditPrivilege 1648 vssvc.exe Token: SeIncreaseQuotaPrivilege 1180 WMIC.exe Token: SeSecurityPrivilege 1180 WMIC.exe Token: SeTakeOwnershipPrivilege 1180 WMIC.exe Token: SeLoadDriverPrivilege 1180 WMIC.exe Token: SeSystemProfilePrivilege 1180 WMIC.exe Token: SeSystemtimePrivilege 1180 WMIC.exe Token: SeProfSingleProcessPrivilege 1180 WMIC.exe Token: SeIncBasePriorityPrivilege 1180 WMIC.exe Token: SeCreatePagefilePrivilege 1180 WMIC.exe Token: SeBackupPrivilege 1180 WMIC.exe Token: SeRestorePrivilege 1180 WMIC.exe Token: SeShutdownPrivilege 1180 WMIC.exe Token: SeDebugPrivilege 1180 WMIC.exe Token: SeSystemEnvironmentPrivilege 1180 WMIC.exe Token: SeRemoteShutdownPrivilege 1180 WMIC.exe Token: SeUndockPrivilege 1180 WMIC.exe Token: SeManageVolumePrivilege 1180 WMIC.exe Token: 33 1180 WMIC.exe Token: 34 1180 WMIC.exe Token: 35 1180 WMIC.exe Token: SeIncreaseQuotaPrivilege 1180 WMIC.exe Token: SeSecurityPrivilege 1180 WMIC.exe Token: SeTakeOwnershipPrivilege 1180 WMIC.exe Token: SeLoadDriverPrivilege 1180 WMIC.exe Token: SeSystemProfilePrivilege 1180 WMIC.exe Token: SeSystemtimePrivilege 1180 WMIC.exe Token: SeProfSingleProcessPrivilege 1180 WMIC.exe Token: SeIncBasePriorityPrivilege 1180 WMIC.exe Token: SeCreatePagefilePrivilege 1180 WMIC.exe Token: SeBackupPrivilege 1180 WMIC.exe Token: SeRestorePrivilege 1180 WMIC.exe Token: SeShutdownPrivilege 1180 WMIC.exe Token: SeDebugPrivilege 1180 WMIC.exe Token: SeSystemEnvironmentPrivilege 1180 WMIC.exe Token: SeRemoteShutdownPrivilege 1180 WMIC.exe Token: SeUndockPrivilege 1180 WMIC.exe Token: SeManageVolumePrivilege 1180 WMIC.exe Token: 33 1180 WMIC.exe Token: 34 1180 WMIC.exe Token: 35 1180 WMIC.exe Token: SeBackupPrivilege 524 wbengine.exe Token: SeRestorePrivilege 524 wbengine.exe Token: SeSecurityPrivilege 524 wbengine.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
6275a839b5071bf445539c8652d2b13b.exeieinstal.execmd.exedescription pid process target process PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1744 wrote to memory of 1504 1744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 1504 wrote to memory of 1548 1504 ieinstal.exe cmd.exe PID 1504 wrote to memory of 1548 1504 ieinstal.exe cmd.exe PID 1504 wrote to memory of 1548 1504 ieinstal.exe cmd.exe PID 1504 wrote to memory of 1548 1504 ieinstal.exe cmd.exe PID 1548 wrote to memory of 516 1548 cmd.exe vssadmin.exe PID 1548 wrote to memory of 516 1548 cmd.exe vssadmin.exe PID 1548 wrote to memory of 516 1548 cmd.exe vssadmin.exe PID 1548 wrote to memory of 1180 1548 cmd.exe WMIC.exe PID 1548 wrote to memory of 1180 1548 cmd.exe WMIC.exe PID 1548 wrote to memory of 1180 1548 cmd.exe WMIC.exe PID 1548 wrote to memory of 1744 1548 cmd.exe bcdedit.exe PID 1548 wrote to memory of 1744 1548 cmd.exe bcdedit.exe PID 1548 wrote to memory of 1744 1548 cmd.exe bcdedit.exe PID 1548 wrote to memory of 924 1548 cmd.exe bcdedit.exe PID 1548 wrote to memory of 924 1548 cmd.exe bcdedit.exe PID 1548 wrote to memory of 924 1548 cmd.exe bcdedit.exe PID 1548 wrote to memory of 436 1548 cmd.exe wbadmin.exe PID 1548 wrote to memory of 436 1548 cmd.exe wbadmin.exe PID 1548 wrote to memory of 436 1548 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6275a839b5071bf445539c8652d2b13b.exe"C:\Users\Admin\AppData\Local\Temp\6275a839b5071bf445539c8652d2b13b.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/436-16-0x0000000000000000-mapping.dmp
-
memory/516-12-0x0000000000000000-mapping.dmp
-
memory/920-2-0x000007FEF7730000-0x000007FEF79AA000-memory.dmpFilesize
2.5MB
-
memory/924-15-0x0000000000000000-mapping.dmp
-
memory/1180-13-0x0000000000000000-mapping.dmp
-
memory/1504-5-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/1504-9-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1504-10-0x0000000000000000-mapping.dmp
-
memory/1504-8-0x0000000000000000-mapping.dmp
-
memory/1504-6-0x0000000000000000-mapping.dmp
-
memory/1504-4-0x0000000000000000-mapping.dmp
-
memory/1504-3-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1548-11-0x0000000000000000-mapping.dmp
-
memory/1744-14-0x0000000000000000-mapping.dmp