Analysis
-
max time kernel
150s -
max time network
9s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06-05-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v20210410
General
-
Target
1.exe
-
Size
62KB
-
MD5
ab7b66ee5385cb473b9c15db3e239692
-
SHA1
5875f07b7b8174284ca15e4d5f53942e0d736024
-
SHA256
8710ad8fb2938326655335455987aa17961b2496a345a7ed9f4bbfcb278212bc
-
SHA512
1a9139af13dacb7cc0022b1216d725e39cfe3668384caf6942705bd1cad263368c4b305f7ccd649cd9bee3be5817029fd410bd02deff34c6b73d8159f2aae280
Malware Config
Extracted
C:\users\public\desktop\info.hta
nilaron@firemail.cc
zezoxo@libertymail.net
togerpo@zohomail.eu
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 1572 bcdedit.exe 432 bcdedit.exe 1316 bcdedit.exe 1776 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 844 wbadmin.exe 1148 wbadmin.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConfirmOut.tiff 1.exe File opened for modification C:\Users\Admin\Pictures\CopyUnregister.tiff 1.exe -
Drops startup file 3 IoCs
Processes:
1.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\1.exe 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Local\\1.exe" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Users\\Admin\\AppData\\Local\\1.exe" 1.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini 1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 1.exe File opened for modification C:\Users\Admin\Music\desktop.ini 1.exe File opened for modification C:\Users\Public\Documents\desktop.ini 1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 1.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 1.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 1.exe File opened for modification C:\Users\Public\desktop.ini 1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini 1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 1.exe File opened for modification C:\Users\Admin\Links\desktop.ini 1.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 1.exe File opened for modification C:\Users\Public\Music\desktop.ini 1.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 1.exe File opened for modification C:\Program Files (x86)\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 1.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 1.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\play-background.png 1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03453_.WMF.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF 1.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Marketing Projects.accdt.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR5F.GIF 1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01742_.GIF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Flyout_Thumbnail_Shadow.png 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04191_.WMF 1.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21296_.GIF.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar 1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_zh_CN.jar.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG 1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01472_.WMF.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF 1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe 1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_zh_CN.jar.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll 1.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libaribcam_plugin.dll.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-api.jar.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105336.WMF.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01308_.WMF 1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS10TARG.POC.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Menominee 1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)greenStateIcon.png 1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\SETUP.XML.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyrun.jar 1.exe File created C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1XTOR.DLL.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21303_.GIF 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Whitehorse 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL054.XML 1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui 1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml 1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA000A.DLL.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File created C:\Program Files\7-Zip\Lang\hr.txt.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files\Internet Explorer\jsdebuggeride.dll 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285780.WMF 1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo 1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll 1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151045.WMF.id[14150694-3152].[nilaron@firemail.cc].Acuna 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232803.WMF 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXT 1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR31F.GIF 1.exe File opened for modification C:\Program Files\7-Zip\7z.sfx 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1692 vssadmin.exe 484 vssadmin.exe -
Processes:
mshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1.exepid process 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe 940 1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 940 1.exe Token: SeBackupPrivilege 324 vssvc.exe Token: SeRestorePrivilege 324 vssvc.exe Token: SeAuditPrivilege 324 vssvc.exe Token: SeIncreaseQuotaPrivilege 1880 WMIC.exe Token: SeSecurityPrivilege 1880 WMIC.exe Token: SeTakeOwnershipPrivilege 1880 WMIC.exe Token: SeLoadDriverPrivilege 1880 WMIC.exe Token: SeSystemProfilePrivilege 1880 WMIC.exe Token: SeSystemtimePrivilege 1880 WMIC.exe Token: SeProfSingleProcessPrivilege 1880 WMIC.exe Token: SeIncBasePriorityPrivilege 1880 WMIC.exe Token: SeCreatePagefilePrivilege 1880 WMIC.exe Token: SeBackupPrivilege 1880 WMIC.exe Token: SeRestorePrivilege 1880 WMIC.exe Token: SeShutdownPrivilege 1880 WMIC.exe Token: SeDebugPrivilege 1880 WMIC.exe Token: SeSystemEnvironmentPrivilege 1880 WMIC.exe Token: SeRemoteShutdownPrivilege 1880 WMIC.exe Token: SeUndockPrivilege 1880 WMIC.exe Token: SeManageVolumePrivilege 1880 WMIC.exe Token: 33 1880 WMIC.exe Token: 34 1880 WMIC.exe Token: 35 1880 WMIC.exe Token: SeIncreaseQuotaPrivilege 1880 WMIC.exe Token: SeSecurityPrivilege 1880 WMIC.exe Token: SeTakeOwnershipPrivilege 1880 WMIC.exe Token: SeLoadDriverPrivilege 1880 WMIC.exe Token: SeSystemProfilePrivilege 1880 WMIC.exe Token: SeSystemtimePrivilege 1880 WMIC.exe Token: SeProfSingleProcessPrivilege 1880 WMIC.exe Token: SeIncBasePriorityPrivilege 1880 WMIC.exe Token: SeCreatePagefilePrivilege 1880 WMIC.exe Token: SeBackupPrivilege 1880 WMIC.exe Token: SeRestorePrivilege 1880 WMIC.exe Token: SeShutdownPrivilege 1880 WMIC.exe Token: SeDebugPrivilege 1880 WMIC.exe Token: SeSystemEnvironmentPrivilege 1880 WMIC.exe Token: SeRemoteShutdownPrivilege 1880 WMIC.exe Token: SeUndockPrivilege 1880 WMIC.exe Token: SeManageVolumePrivilege 1880 WMIC.exe Token: 33 1880 WMIC.exe Token: 34 1880 WMIC.exe Token: 35 1880 WMIC.exe Token: SeBackupPrivilege 304 wbengine.exe Token: SeRestorePrivilege 304 wbengine.exe Token: SeSecurityPrivilege 304 wbengine.exe Token: SeIncreaseQuotaPrivilege 1336 WMIC.exe Token: SeSecurityPrivilege 1336 WMIC.exe Token: SeTakeOwnershipPrivilege 1336 WMIC.exe Token: SeLoadDriverPrivilege 1336 WMIC.exe Token: SeSystemProfilePrivilege 1336 WMIC.exe Token: SeSystemtimePrivilege 1336 WMIC.exe Token: SeProfSingleProcessPrivilege 1336 WMIC.exe Token: SeIncBasePriorityPrivilege 1336 WMIC.exe Token: SeCreatePagefilePrivilege 1336 WMIC.exe Token: SeBackupPrivilege 1336 WMIC.exe Token: SeRestorePrivilege 1336 WMIC.exe Token: SeShutdownPrivilege 1336 WMIC.exe Token: SeDebugPrivilege 1336 WMIC.exe Token: SeSystemEnvironmentPrivilege 1336 WMIC.exe Token: SeRemoteShutdownPrivilege 1336 WMIC.exe Token: SeUndockPrivilege 1336 WMIC.exe Token: SeManageVolumePrivilege 1336 WMIC.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
1.execmd.execmd.execmd.exedescription pid process target process PID 940 wrote to memory of 840 940 1.exe cmd.exe PID 940 wrote to memory of 840 940 1.exe cmd.exe PID 940 wrote to memory of 840 940 1.exe cmd.exe PID 940 wrote to memory of 1376 940 1.exe cmd.exe PID 940 wrote to memory of 840 940 1.exe cmd.exe PID 940 wrote to memory of 1376 940 1.exe cmd.exe PID 940 wrote to memory of 1376 940 1.exe cmd.exe PID 940 wrote to memory of 1376 940 1.exe cmd.exe PID 1376 wrote to memory of 784 1376 cmd.exe netsh.exe PID 1376 wrote to memory of 784 1376 cmd.exe netsh.exe PID 1376 wrote to memory of 784 1376 cmd.exe netsh.exe PID 840 wrote to memory of 484 840 cmd.exe vssadmin.exe PID 840 wrote to memory of 484 840 cmd.exe vssadmin.exe PID 840 wrote to memory of 484 840 cmd.exe vssadmin.exe PID 1376 wrote to memory of 1108 1376 cmd.exe netsh.exe PID 1376 wrote to memory of 1108 1376 cmd.exe netsh.exe PID 1376 wrote to memory of 1108 1376 cmd.exe netsh.exe PID 840 wrote to memory of 1880 840 cmd.exe WMIC.exe PID 840 wrote to memory of 1880 840 cmd.exe WMIC.exe PID 840 wrote to memory of 1880 840 cmd.exe WMIC.exe PID 840 wrote to memory of 1572 840 cmd.exe bcdedit.exe PID 840 wrote to memory of 1572 840 cmd.exe bcdedit.exe PID 840 wrote to memory of 1572 840 cmd.exe bcdedit.exe PID 840 wrote to memory of 432 840 cmd.exe bcdedit.exe PID 840 wrote to memory of 432 840 cmd.exe bcdedit.exe PID 840 wrote to memory of 432 840 cmd.exe bcdedit.exe PID 840 wrote to memory of 844 840 cmd.exe wbadmin.exe PID 840 wrote to memory of 844 840 cmd.exe wbadmin.exe PID 840 wrote to memory of 844 840 cmd.exe wbadmin.exe PID 940 wrote to memory of 1952 940 1.exe mshta.exe PID 940 wrote to memory of 1952 940 1.exe mshta.exe PID 940 wrote to memory of 1952 940 1.exe mshta.exe PID 940 wrote to memory of 1952 940 1.exe mshta.exe PID 940 wrote to memory of 984 940 1.exe mshta.exe PID 940 wrote to memory of 984 940 1.exe mshta.exe PID 940 wrote to memory of 984 940 1.exe mshta.exe PID 940 wrote to memory of 984 940 1.exe mshta.exe PID 940 wrote to memory of 2016 940 1.exe mshta.exe PID 940 wrote to memory of 2016 940 1.exe mshta.exe PID 940 wrote to memory of 2016 940 1.exe mshta.exe PID 940 wrote to memory of 2016 940 1.exe mshta.exe PID 940 wrote to memory of 548 940 1.exe cmd.exe PID 940 wrote to memory of 548 940 1.exe cmd.exe PID 940 wrote to memory of 548 940 1.exe cmd.exe PID 940 wrote to memory of 548 940 1.exe cmd.exe PID 548 wrote to memory of 1692 548 cmd.exe vssadmin.exe PID 548 wrote to memory of 1692 548 cmd.exe vssadmin.exe PID 548 wrote to memory of 1692 548 cmd.exe vssadmin.exe PID 548 wrote to memory of 1336 548 cmd.exe WMIC.exe PID 548 wrote to memory of 1336 548 cmd.exe WMIC.exe PID 548 wrote to memory of 1336 548 cmd.exe WMIC.exe PID 548 wrote to memory of 1316 548 cmd.exe bcdedit.exe PID 548 wrote to memory of 1316 548 cmd.exe bcdedit.exe PID 548 wrote to memory of 1316 548 cmd.exe bcdedit.exe PID 548 wrote to memory of 1776 548 cmd.exe bcdedit.exe PID 548 wrote to memory of 1776 548 cmd.exe bcdedit.exe PID 548 wrote to memory of 1776 548 cmd.exe bcdedit.exe PID 548 wrote to memory of 1148 548 cmd.exe wbadmin.exe PID 548 wrote to memory of 1148 548 cmd.exe wbadmin.exe PID 548 wrote to memory of 1148 548 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\info.htaMD5
473a8e281f1d7eeabbaa956a983f64f5
SHA19fc095985e07603db81db5486c11848caa1c4ed1
SHA2565d0f061dded9b057782cf6a75fd628b5905669dea6838ace1d71da28e01b29b1
SHA5121cdcf2cf6e31466f3864fb170c6989ecb91001c0f919809c634864cefd54558274881f325135ce7a5c73e5a99ced4a2ad22eb8dd4f0cc6806037a7d5cd1c3523
-
C:\info.htaMD5
473a8e281f1d7eeabbaa956a983f64f5
SHA19fc095985e07603db81db5486c11848caa1c4ed1
SHA2565d0f061dded9b057782cf6a75fd628b5905669dea6838ace1d71da28e01b29b1
SHA5121cdcf2cf6e31466f3864fb170c6989ecb91001c0f919809c634864cefd54558274881f325135ce7a5c73e5a99ced4a2ad22eb8dd4f0cc6806037a7d5cd1c3523
-
C:\users\public\desktop\info.htaMD5
473a8e281f1d7eeabbaa956a983f64f5
SHA19fc095985e07603db81db5486c11848caa1c4ed1
SHA2565d0f061dded9b057782cf6a75fd628b5905669dea6838ace1d71da28e01b29b1
SHA5121cdcf2cf6e31466f3864fb170c6989ecb91001c0f919809c634864cefd54558274881f325135ce7a5c73e5a99ced4a2ad22eb8dd4f0cc6806037a7d5cd1c3523
-
memory/432-70-0x0000000000000000-mapping.dmp
-
memory/484-64-0x0000000000000000-mapping.dmp
-
memory/548-76-0x0000000000000000-mapping.dmp
-
memory/784-65-0x000007FEFB531000-0x000007FEFB533000-memory.dmpFilesize
8KB
-
memory/784-63-0x0000000000000000-mapping.dmp
-
memory/840-61-0x0000000000000000-mapping.dmp
-
memory/844-71-0x0000000000000000-mapping.dmp
-
memory/940-59-0x0000000075051000-0x0000000075053000-memory.dmpFilesize
8KB
-
memory/984-74-0x0000000000000000-mapping.dmp
-
memory/1108-66-0x0000000000000000-mapping.dmp
-
memory/1148-85-0x0000000000000000-mapping.dmp
-
memory/1316-83-0x0000000000000000-mapping.dmp
-
memory/1336-82-0x0000000000000000-mapping.dmp
-
memory/1376-62-0x0000000000000000-mapping.dmp
-
memory/1572-69-0x0000000000000000-mapping.dmp
-
memory/1692-80-0x0000000000000000-mapping.dmp
-
memory/1776-84-0x0000000000000000-mapping.dmp
-
memory/1880-68-0x0000000000000000-mapping.dmp
-
memory/1952-73-0x0000000000000000-mapping.dmp
-
memory/2016-75-0x0000000000000000-mapping.dmp