phobos | 97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb

Resubmissions

21/02/2025, 10:40

250221-mqpfcszrfk 10

26/07/2021, 12:41

210726-386gy5xqax 10

Analysis

max time kernel
152s
max time network
193s
platform
windows7_x64
resource
win7v20210410
submitted
26/07/2021, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
Size

192KB
MD5

eb5d46bf72a013bfc7c018169eb1739b
SHA1

f55680a34521ef07c2b8dedd1b74a9927990485a
SHA256

97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb
SHA512

b3e2d512c95913fe0ea1732f1e0bea2e849eb2ef98046380b01c76e6ec38a2ad5c00dcb66f90ad1f9d9c3ab97b81cd92318bdbfc84e2d408ed577902511b0c54

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

\??\c:\users\admin\desktop\info.txt

Ransom Note

Your computer is infected with a virus. Files are locked* but not corrupted. Send an email [email protected] and you will definitely be helped to recover. *you can send us a couple of files and we will return the restored ones to prove that only we can do it IMPORTANT: 1. the infection was due to vulnerabilities in your software 2. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. only communication through our email can guarantee file recovery for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. if we do not respond to you within 24 hours, send a message to the email [email protected] 5. our goal is to return your data, but if you do not contact us, we will not succeed

Emails

[email protected]

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

Files are locked* but not corrupted Your computer is infected with a virus. Files are locked* but not corrupted. Send an email [email protected] , specify in the subject unique identifier 65412767-2408 and you will definitely be helped to recover. *you can send us a couple of files and we will return the restored ones to prove that only we can do it IMPORTANT: 1. the infection was due to vulnerabilities in your software 2. if you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. only communication through our email can guarantee file recovery for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. if we do not respond to you within 24 hours, send a message to the email [email protected] 5. our goal is to return your data, but if you do not contact us, we will not succeed

Emails

[email protected]

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\TestGet.tiff	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample = "C:\\Users\\Admin\\AppData\\Local\\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe"	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample = "C:\\Users\\Admin\\AppData\\Local\\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe"	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQE06QBJ\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SLC8MVWU\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2MTLR0RV\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00010_.WMF.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Asuncion.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0298653.WMF	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OTKLOADR.DLL.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jre7\lib\ext\localedata.jar.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Comments.accdt	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.ELM	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00255_.WMF	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00223_.WMF	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\logo.png	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00126_.WMF	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01154_.WMF.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01158_.WMF.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets_1.0.0.v20140514-1823.jar	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.WPG.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ONWordAddin.dll.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Manila	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPAPERS.INI.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_flyout.png	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\CERTINTL.DLL.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll.id[65412767-2408].[[email protected]].Caleb	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 1332	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	30
PID 592 wrote to memory of 1332	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	30
PID 592 wrote to memory of 1332	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	30
PID 592 wrote to memory of 1332	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	30
PID 1332 wrote to memory of 1384	1332	cmd.exe	32
PID 1332 wrote to memory of 1384	1332	cmd.exe	32
PID 1332 wrote to memory of 1384	1332	cmd.exe	32
PID 1332 wrote to memory of 520	1332	cmd.exe	33
PID 1332 wrote to memory of 520	1332	cmd.exe	33
PID 1332 wrote to memory of 520	1332	cmd.exe	33
PID 592 wrote to memory of 1152	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	35
PID 592 wrote to memory of 1152	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	35
PID 592 wrote to memory of 1152	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	35
PID 592 wrote to memory of 1152	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	35
PID 592 wrote to memory of 1848	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	36
PID 592 wrote to memory of 1848	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	36
PID 592 wrote to memory of 1848	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	36
PID 592 wrote to memory of 1848	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	36
PID 592 wrote to memory of 916	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	37
PID 592 wrote to memory of 916	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	37
PID 592 wrote to memory of 916	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	37
PID 592 wrote to memory of 916	592	97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe	37

C:\Users\Admin\AppData\Local\Temp\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
"C:\Users\Admin\AppData\Local\Temp\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592
- C:\Users\Admin\AppData\Local\Temp\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe
  "C:\Users\Admin\AppData\Local\Temp\97cb4bf23ebc72c97f8216182eb44f9bd45f3f7fff0d1ef9c573e7df79956ddb.sample.exe"
  2⤵
  PID:1228
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    PID:1384
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    PID:520
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1152
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1848
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-61-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/592-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/592-60-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1228-64-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1384-67-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download