Analysis
-
max time kernel
152s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-05-2021 11:55
Static task
static1
Behavioral task
behavioral1
Sample
lsass.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
lsass.exe
Resource
win10v20210408
General
-
Target
lsass.exe
-
Size
62KB
-
MD5
ab7b66ee5385cb473b9c15db3e239692
-
SHA1
5875f07b7b8174284ca15e4d5f53942e0d736024
-
SHA256
8710ad8fb2938326655335455987aa17961b2496a345a7ed9f4bbfcb278212bc
-
SHA512
1a9139af13dacb7cc0022b1216d725e39cfe3668384caf6942705bd1cad263368c4b305f7ccd649cd9bee3be5817029fd410bd02deff34c6b73d8159f2aae280
Malware Config
Extracted
C:\users\public\desktop\info.hta
nilaron@firemail.cc
zezoxo@libertymail.net
togerpo@zohomail.eu
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 1260 bcdedit.exe 568 bcdedit.exe 1568 bcdedit.exe 688 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 996 wbadmin.exe 1728 wbadmin.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 3 IoCs
Processes:
lsass.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\lsass.exe lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini lsass.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
lsass.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "C:\\Users\\Admin\\AppData\\Local\\lsass.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "C:\\Users\\Admin\\AppData\\Local\\lsass.exe" lsass.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini lsass.exe File opened for modification C:\Users\Admin\Documents\desktop.ini lsass.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini lsass.exe File opened for modification C:\Users\Public\desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini lsass.exe File opened for modification C:\Users\Public\Music\desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\Music\desktop.ini lsass.exe File opened for modification C:\Users\Admin\Videos\desktop.ini lsass.exe File opened for modification C:\Users\Public\Pictures\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini lsass.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini lsass.exe File opened for modification C:\Users\Public\Videos\desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini lsass.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini lsass.exe File opened for modification C:\Users\Public\Libraries\desktop.ini lsass.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini lsass.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini lsass.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini lsass.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini lsass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini lsass.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini lsass.exe File opened for modification C:\Program Files (x86)\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini lsass.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini lsass.exe File opened for modification C:\Users\Public\Desktop\desktop.ini lsass.exe File opened for modification C:\Users\Public\Documents\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini lsass.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini lsass.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini lsass.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini lsass.exe File opened for modification C:\Users\Admin\Links\desktop.ini lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI lsass.exe -
Drops file in Program Files directory 64 IoCs
Processes:
lsass.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\11.png lsass.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png lsass.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Empty.png lsass.exe File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\RenderingControl.xml lsass.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll lsass.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01637_.WMF.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MLCFG32.CPL.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll lsass.exe File opened for modification C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL lsass.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\vlc.mo.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00306_.WMF.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195772.WMF lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Paramaribo lsass.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.sig lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\abcpy.ini lsass.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.PH.XML.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar lsass.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.ELM.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107748.WMF.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00998_.WMF.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_zh_CN.jar.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\sqlite.dll.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\TWLAY32.DLL lsass.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0 lsass.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF lsass.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.BR.XML.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files\Java\jre7\lib\zi\America\Hermosillo.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00625_.WMF.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files\7-Zip\Lang\si.txt.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Maldives lsass.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOHEV.DLL lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.POC lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XIMAGE3B.DLL lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid.gif lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_OFF.GIF lsass.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll lsass.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files\Windows Media Player\en-US\WMPMediaSharing.dll.mui lsass.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.JPG lsass.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR51F.GIF lsass.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LETTHEAD.DPV.id[97C1E0A6-3152].[nilaron@firemail.cc].Acuna lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1768 vssadmin.exe 1260 vssadmin.exe -
Processes:
mshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
lsass.exepid process 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe 1304 lsass.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
lsass.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1304 lsass.exe Token: SeBackupPrivilege 1816 vssvc.exe Token: SeRestorePrivilege 1816 vssvc.exe Token: SeAuditPrivilege 1816 vssvc.exe Token: SeIncreaseQuotaPrivilege 1604 WMIC.exe Token: SeSecurityPrivilege 1604 WMIC.exe Token: SeTakeOwnershipPrivilege 1604 WMIC.exe Token: SeLoadDriverPrivilege 1604 WMIC.exe Token: SeSystemProfilePrivilege 1604 WMIC.exe Token: SeSystemtimePrivilege 1604 WMIC.exe Token: SeProfSingleProcessPrivilege 1604 WMIC.exe Token: SeIncBasePriorityPrivilege 1604 WMIC.exe Token: SeCreatePagefilePrivilege 1604 WMIC.exe Token: SeBackupPrivilege 1604 WMIC.exe Token: SeRestorePrivilege 1604 WMIC.exe Token: SeShutdownPrivilege 1604 WMIC.exe Token: SeDebugPrivilege 1604 WMIC.exe Token: SeSystemEnvironmentPrivilege 1604 WMIC.exe Token: SeRemoteShutdownPrivilege 1604 WMIC.exe Token: SeUndockPrivilege 1604 WMIC.exe Token: SeManageVolumePrivilege 1604 WMIC.exe Token: 33 1604 WMIC.exe Token: 34 1604 WMIC.exe Token: 35 1604 WMIC.exe Token: SeIncreaseQuotaPrivilege 1604 WMIC.exe Token: SeSecurityPrivilege 1604 WMIC.exe Token: SeTakeOwnershipPrivilege 1604 WMIC.exe Token: SeLoadDriverPrivilege 1604 WMIC.exe Token: SeSystemProfilePrivilege 1604 WMIC.exe Token: SeSystemtimePrivilege 1604 WMIC.exe Token: SeProfSingleProcessPrivilege 1604 WMIC.exe Token: SeIncBasePriorityPrivilege 1604 WMIC.exe Token: SeCreatePagefilePrivilege 1604 WMIC.exe Token: SeBackupPrivilege 1604 WMIC.exe Token: SeRestorePrivilege 1604 WMIC.exe Token: SeShutdownPrivilege 1604 WMIC.exe Token: SeDebugPrivilege 1604 WMIC.exe Token: SeSystemEnvironmentPrivilege 1604 WMIC.exe Token: SeRemoteShutdownPrivilege 1604 WMIC.exe Token: SeUndockPrivilege 1604 WMIC.exe Token: SeManageVolumePrivilege 1604 WMIC.exe Token: 33 1604 WMIC.exe Token: 34 1604 WMIC.exe Token: 35 1604 WMIC.exe Token: SeBackupPrivilege 616 wbengine.exe Token: SeRestorePrivilege 616 wbengine.exe Token: SeSecurityPrivilege 616 wbengine.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
lsass.execmd.execmd.execmd.exedescription pid process target process PID 1304 wrote to memory of 1440 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1440 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1440 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1440 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1192 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1192 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1192 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1192 1304 lsass.exe cmd.exe PID 1192 wrote to memory of 1476 1192 cmd.exe netsh.exe PID 1192 wrote to memory of 1476 1192 cmd.exe netsh.exe PID 1192 wrote to memory of 1476 1192 cmd.exe netsh.exe PID 1440 wrote to memory of 1768 1440 cmd.exe vssadmin.exe PID 1440 wrote to memory of 1768 1440 cmd.exe vssadmin.exe PID 1440 wrote to memory of 1768 1440 cmd.exe vssadmin.exe PID 1192 wrote to memory of 956 1192 cmd.exe netsh.exe PID 1192 wrote to memory of 956 1192 cmd.exe netsh.exe PID 1192 wrote to memory of 956 1192 cmd.exe netsh.exe PID 1440 wrote to memory of 1604 1440 cmd.exe WMIC.exe PID 1440 wrote to memory of 1604 1440 cmd.exe WMIC.exe PID 1440 wrote to memory of 1604 1440 cmd.exe WMIC.exe PID 1440 wrote to memory of 1260 1440 cmd.exe bcdedit.exe PID 1440 wrote to memory of 1260 1440 cmd.exe bcdedit.exe PID 1440 wrote to memory of 1260 1440 cmd.exe bcdedit.exe PID 1440 wrote to memory of 568 1440 cmd.exe bcdedit.exe PID 1440 wrote to memory of 568 1440 cmd.exe bcdedit.exe PID 1440 wrote to memory of 568 1440 cmd.exe bcdedit.exe PID 1440 wrote to memory of 996 1440 cmd.exe wbadmin.exe PID 1440 wrote to memory of 996 1440 cmd.exe wbadmin.exe PID 1440 wrote to memory of 996 1440 cmd.exe wbadmin.exe PID 1304 wrote to memory of 1688 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 1688 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 1688 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 1688 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 1396 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 1396 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 1396 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 1396 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 668 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 668 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 668 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 668 1304 lsass.exe mshta.exe PID 1304 wrote to memory of 1132 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1132 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1132 1304 lsass.exe cmd.exe PID 1304 wrote to memory of 1132 1304 lsass.exe cmd.exe PID 1132 wrote to memory of 1260 1132 cmd.exe vssadmin.exe PID 1132 wrote to memory of 1260 1132 cmd.exe vssadmin.exe PID 1132 wrote to memory of 1260 1132 cmd.exe vssadmin.exe PID 1132 wrote to memory of 1796 1132 cmd.exe WMIC.exe PID 1132 wrote to memory of 1796 1132 cmd.exe WMIC.exe PID 1132 wrote to memory of 1796 1132 cmd.exe WMIC.exe PID 1132 wrote to memory of 1568 1132 cmd.exe bcdedit.exe PID 1132 wrote to memory of 1568 1132 cmd.exe bcdedit.exe PID 1132 wrote to memory of 1568 1132 cmd.exe bcdedit.exe PID 1132 wrote to memory of 688 1132 cmd.exe bcdedit.exe PID 1132 wrote to memory of 688 1132 cmd.exe bcdedit.exe PID 1132 wrote to memory of 688 1132 cmd.exe bcdedit.exe PID 1132 wrote to memory of 1728 1132 cmd.exe wbadmin.exe PID 1132 wrote to memory of 1728 1132 cmd.exe wbadmin.exe PID 1132 wrote to memory of 1728 1132 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\lsass.exe"C:\Users\Admin\AppData\Local\Temp\lsass.exe"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\info.htaMD5
2d2fb9ba206c7ac0a0856d79375cc9ec
SHA1e9db9d6cc1a0e40dcd24a249ac1731b5ccfe7df6
SHA2564d36e020cc94fc83e1d66de050b2969085b171777bde45a943930a17c4c5c180
SHA512fb9923e5d207c718362b16bdd7f722e6c7dc8a098a7ad4622fc372a6e5ac2f203ed542bd9530fb26cbc67234d649e5088a780aed9389e1b3eabfd57eb0e24c2c
-
C:\info.htaMD5
2d2fb9ba206c7ac0a0856d79375cc9ec
SHA1e9db9d6cc1a0e40dcd24a249ac1731b5ccfe7df6
SHA2564d36e020cc94fc83e1d66de050b2969085b171777bde45a943930a17c4c5c180
SHA512fb9923e5d207c718362b16bdd7f722e6c7dc8a098a7ad4622fc372a6e5ac2f203ed542bd9530fb26cbc67234d649e5088a780aed9389e1b3eabfd57eb0e24c2c
-
C:\users\public\desktop\info.htaMD5
2d2fb9ba206c7ac0a0856d79375cc9ec
SHA1e9db9d6cc1a0e40dcd24a249ac1731b5ccfe7df6
SHA2564d36e020cc94fc83e1d66de050b2969085b171777bde45a943930a17c4c5c180
SHA512fb9923e5d207c718362b16bdd7f722e6c7dc8a098a7ad4622fc372a6e5ac2f203ed542bd9530fb26cbc67234d649e5088a780aed9389e1b3eabfd57eb0e24c2c
-
memory/568-71-0x0000000000000000-mapping.dmp
-
memory/668-76-0x0000000000000000-mapping.dmp
-
memory/688-85-0x0000000000000000-mapping.dmp
-
memory/956-67-0x0000000000000000-mapping.dmp
-
memory/996-72-0x0000000000000000-mapping.dmp
-
memory/1132-77-0x0000000000000000-mapping.dmp
-
memory/1192-63-0x0000000000000000-mapping.dmp
-
memory/1260-78-0x0000000000000000-mapping.dmp
-
memory/1260-70-0x0000000000000000-mapping.dmp
-
memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1396-75-0x0000000000000000-mapping.dmp
-
memory/1440-62-0x0000000000000000-mapping.dmp
-
memory/1476-66-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1476-64-0x0000000000000000-mapping.dmp
-
memory/1568-84-0x0000000000000000-mapping.dmp
-
memory/1604-69-0x0000000000000000-mapping.dmp
-
memory/1688-74-0x0000000000000000-mapping.dmp
-
memory/1728-86-0x0000000000000000-mapping.dmp
-
memory/1768-65-0x0000000000000000-mapping.dmp
-
memory/1796-79-0x0000000000000000-mapping.dmp