Resubmissions
17-01-2021 17:20
210117-42l4186m4a 1017-01-2021 17:16
210117-436yb29wwa 1011-01-2021 07:41
210111-s6ytr1ebc2 10Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-01-2021 07:41
Static task
static1
Behavioral task
behavioral1
Sample
6275a839b5071bf445539c8652d2b13b.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
6275a839b5071bf445539c8652d2b13b.exe
Resource
win10v20201028
General
-
Target
6275a839b5071bf445539c8652d2b13b.exe
-
Size
1.0MB
-
MD5
6275a839b5071bf445539c8652d2b13b
-
SHA1
1e0946ea29e3eca33384ccab5a627d778a6e612d
-
SHA256
f0aec57001a184ea82122a59c6e5be48042f75d6f11a40125995ba9531aab718
-
SHA512
f31006c16dc31548283a4434ee4e13e878a24d10c1963d6b81083862a8cd544004612886e77774e3072481fee0411665d6db6ca8d5e25b9e8e72e7252603d677
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2428 created 2600 2428 svchost.exe ieinstal.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2592 bcdedit.exe 4032 bcdedit.exe -
Processes:
wbadmin.exepid process 3740 wbadmin.exe -
Drops startup file 1 IoCs
Processes:
ieinstal.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ieinstal.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
6275a839b5071bf445539c8652d2b13b.exeieinstal.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ldfwV = "C:\\Users\\Admin\\ldfwV.url" 6275a839b5071bf445539c8652d2b13b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieinstal = "C:\\Users\\Admin\\AppData\\Local\\ieinstal.exe" ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ieinstal = "C:\\Users\\Admin\\AppData\\Local\\ieinstal.exe" ieinstal.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
ieinstal.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini ieinstal.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini ieinstal.exe File opened for modification C:\Program Files\desktop.ini ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ieinstal.exe -
Drops file in Program Files directory 10383 IoCs
Processes:
ieinstal.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms ieinstal.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PNG32.FLT ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties ieinstal.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jsoundds.dll ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT ieinstal.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml ieinstal.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\ReportingServicesNativeClient.dll.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul.xrm-ms ieinstal.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML ieinstal.exe File created C:\Program Files\7-Zip\Lang\hr.txt.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\w2k_lsa_auth.dll.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html ieinstal.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark@4x.png ieinstal.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar ieinstal.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WWLIB.DLL.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxt ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\LICENSE ieinstal.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe ieinstal.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms ieinstal.exe File created C:\Program Files\Microsoft Office\root\Office16\Tec.dll.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ul-phn.xrm-ms ieinstal.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\office.dll.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.ELM ieinstal.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_col.hxc ieinstal.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml ieinstal.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar ieinstal.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar ieinstal.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.id[49A8FE73-2275].[helprecover@foxmail.com].help ieinstal.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2112 vssadmin.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 472 IoCs
Processes:
ieinstal.exepid process 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe 2600 ieinstal.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
svchost.exeieinstal.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeTcbPrivilege 2428 svchost.exe Token: SeTcbPrivilege 2428 svchost.exe Token: SeDebugPrivilege 2600 ieinstal.exe Token: SeBackupPrivilege 2052 vssvc.exe Token: SeRestorePrivilege 2052 vssvc.exe Token: SeAuditPrivilege 2052 vssvc.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemProfilePrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeProfSingleProcessPrivilege 2216 WMIC.exe Token: SeIncBasePriorityPrivilege 2216 WMIC.exe Token: SeCreatePagefilePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeDebugPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe Token: SeRemoteShutdownPrivilege 2216 WMIC.exe Token: SeUndockPrivilege 2216 WMIC.exe Token: SeManageVolumePrivilege 2216 WMIC.exe Token: 33 2216 WMIC.exe Token: 34 2216 WMIC.exe Token: 35 2216 WMIC.exe Token: 36 2216 WMIC.exe Token: SeIncreaseQuotaPrivilege 2216 WMIC.exe Token: SeSecurityPrivilege 2216 WMIC.exe Token: SeTakeOwnershipPrivilege 2216 WMIC.exe Token: SeLoadDriverPrivilege 2216 WMIC.exe Token: SeSystemProfilePrivilege 2216 WMIC.exe Token: SeSystemtimePrivilege 2216 WMIC.exe Token: SeProfSingleProcessPrivilege 2216 WMIC.exe Token: SeIncBasePriorityPrivilege 2216 WMIC.exe Token: SeCreatePagefilePrivilege 2216 WMIC.exe Token: SeBackupPrivilege 2216 WMIC.exe Token: SeRestorePrivilege 2216 WMIC.exe Token: SeShutdownPrivilege 2216 WMIC.exe Token: SeDebugPrivilege 2216 WMIC.exe Token: SeSystemEnvironmentPrivilege 2216 WMIC.exe Token: SeRemoteShutdownPrivilege 2216 WMIC.exe Token: SeUndockPrivilege 2216 WMIC.exe Token: SeManageVolumePrivilege 2216 WMIC.exe Token: 33 2216 WMIC.exe Token: 34 2216 WMIC.exe Token: 35 2216 WMIC.exe Token: 36 2216 WMIC.exe Token: SeBackupPrivilege 584 wbengine.exe Token: SeRestorePrivilege 584 wbengine.exe Token: SeSecurityPrivilege 584 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
6275a839b5071bf445539c8652d2b13b.exesvchost.exeieinstal.execmd.exedescription pid process target process PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 744 wrote to memory of 2600 744 6275a839b5071bf445539c8652d2b13b.exe ieinstal.exe PID 2428 wrote to memory of 1504 2428 svchost.exe ieinstal.exe PID 2428 wrote to memory of 1504 2428 svchost.exe ieinstal.exe PID 2428 wrote to memory of 1504 2428 svchost.exe ieinstal.exe PID 2600 wrote to memory of 3360 2600 ieinstal.exe cmd.exe PID 2600 wrote to memory of 3360 2600 ieinstal.exe cmd.exe PID 3360 wrote to memory of 2112 3360 cmd.exe vssadmin.exe PID 3360 wrote to memory of 2112 3360 cmd.exe vssadmin.exe PID 3360 wrote to memory of 2216 3360 cmd.exe WMIC.exe PID 3360 wrote to memory of 2216 3360 cmd.exe WMIC.exe PID 3360 wrote to memory of 2592 3360 cmd.exe bcdedit.exe PID 3360 wrote to memory of 2592 3360 cmd.exe bcdedit.exe PID 3360 wrote to memory of 4032 3360 cmd.exe bcdedit.exe PID 3360 wrote to memory of 4032 3360 cmd.exe bcdedit.exe PID 3360 wrote to memory of 3740 3360 cmd.exe wbadmin.exe PID 3360 wrote to memory of 3740 3360 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6275a839b5071bf445539c8652d2b13b.exe"C:\Users\Admin\AppData\Local\Temp\6275a839b5071bf445539c8652d2b13b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-10-0x0000000000000000-mapping.dmp
-
memory/2112-12-0x0000000000000000-mapping.dmp
-
memory/2216-13-0x0000000000000000-mapping.dmp
-
memory/2592-14-0x0000000000000000-mapping.dmp
-
memory/2600-5-0x0000000000000000-mapping.dmp
-
memory/2600-8-0x0000000003000000-0x0000000003001000-memory.dmpFilesize
4KB
-
memory/2600-9-0x0000000000000000-mapping.dmp
-
memory/2600-7-0x0000000000000000-mapping.dmp
-
memory/2600-3-0x0000000000000000-mapping.dmp
-
memory/2600-4-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB
-
memory/2600-2-0x0000000000C30000-0x0000000000C31000-memory.dmpFilesize
4KB
-
memory/3360-11-0x0000000000000000-mapping.dmp
-
memory/3740-16-0x0000000000000000-mapping.dmp
-
memory/4032-15-0x0000000000000000-mapping.dmp