neshta | de6b4fe5b4420970f1615f4d899a3c53e7817ce715db692583e2299f260661b2

General

Target

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
Size

136KB
MD5

60d57c278bab55af5023a16578492fa5
SHA1

bb7a831d2ee669a52726737765d86bbba4074991
SHA256

de6b4fe5b4420970f1615f4d899a3c53e7817ce715db692583e2299f260661b2
SHA512

f6528e07a19bfd56343af4d73dff137207830bc0acafa3739f6ff85f88055ed44ddf97de870cc68004ca870c855c63a4bfe90d377636307455623b85f4731cf8

Score

10^/10

neshta phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta Payload 1 IoCs

Processes:

resource	yara_rule
C:\odt\office2016setup.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1988 bcdedit.exe
360 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3140 wbadmin.exe
Executes dropped EXE 2 IoCs

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

pid process

2908 60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
1528 60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
1988	bcdedit.exe
360	bcdedit.exe

pid	process
3140	wbadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

Drops startup file 1 IoCs

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB = "C:\\Users\\Admin\\AppData\\Local\\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe"	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB = "C:\\Users\\Admin\\AppData\\Local\\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe"	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-790714498-1549421491-1643397139-1000\desktop.ini	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\desktop.ini	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

Drops file in Program Files directory 64 IoCs

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\THEMES.INF	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jre1.8.0_66\README.txt.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2iexp.dll	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7_RTL.wmv	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-125_contrast-white.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideLogo.scale-125_contrast-white.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-200.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\VEN2232.OLB.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-125.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Collections.Specialized.dll	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-locale-l1-1-0.dll.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javafx_font.dll	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\RotateVertically.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-100.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\SmallTile.scale-200.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\StoreLogo.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-36_altform-unplated.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_ReptileEye.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\fontmanager.dll.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedLargeTile.scale-200.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-125.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-white.png	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_zh_CN.jar.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ppd.xrm-ms	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_zh_4.4.0.v20140623020002.jar.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar.id[F751A49D-3258].[[email protected]].eking	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

Drops file in Windows directory 2 IoCs

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3384 vssadmin.exe

pid	process
3384	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

WaaSMedicAgent.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132886949784290856"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3888"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4076"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe

Modifies registry class 1 IoCs

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

pid	process
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
Token: SeBackupPrivilege	2864	vssvc.exe
Token: SeRestorePrivilege	2864	vssvc.exe
Token: SeAuditPrivilege	2864	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3696	WMIC.exe
Token: SeSecurityPrivilege	3696	WMIC.exe
Token: SeTakeOwnershipPrivilege	3696	WMIC.exe
Token: SeLoadDriverPrivilege	3696	WMIC.exe
Token: SeSystemProfilePrivilege	3696	WMIC.exe
Token: SeSystemtimePrivilege	3696	WMIC.exe
Token: SeProfSingleProcessPrivilege	3696	WMIC.exe
Token: SeIncBasePriorityPrivilege	3696	WMIC.exe
Token: SeCreatePagefilePrivilege	3696	WMIC.exe
Token: SeBackupPrivilege	3696	WMIC.exe
Token: SeRestorePrivilege	3696	WMIC.exe
Token: SeShutdownPrivilege	3696	WMIC.exe
Token: SeDebugPrivilege	3696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3696	WMIC.exe
Token: SeRemoteShutdownPrivilege	3696	WMIC.exe
Token: SeUndockPrivilege	3696	WMIC.exe
Token: SeManageVolumePrivilege	3696	WMIC.exe
Token: 33	3696	WMIC.exe
Token: 34	3696	WMIC.exe
Token: 35	3696	WMIC.exe
Token: 36	3696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3696	WMIC.exe
Token: SeSecurityPrivilege	3696	WMIC.exe
Token: SeTakeOwnershipPrivilege	3696	WMIC.exe
Token: SeLoadDriverPrivilege	3696	WMIC.exe
Token: SeSystemProfilePrivilege	3696	WMIC.exe
Token: SeSystemtimePrivilege	3696	WMIC.exe
Token: SeProfSingleProcessPrivilege	3696	WMIC.exe
Token: SeIncBasePriorityPrivilege	3696	WMIC.exe
Token: SeCreatePagefilePrivilege	3696	WMIC.exe
Token: SeBackupPrivilege	3696	WMIC.exe
Token: SeRestorePrivilege	3696	WMIC.exe
Token: SeShutdownPrivilege	3696	WMIC.exe
Token: SeDebugPrivilege	3696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3696	WMIC.exe
Token: SeRemoteShutdownPrivilege	3696	WMIC.exe
Token: SeUndockPrivilege	3696	WMIC.exe
Token: SeManageVolumePrivilege	3696	WMIC.exe
Token: 33	3696	WMIC.exe
Token: 34	3696	WMIC.exe
Token: 35	3696	WMIC.exe
Token: 36	3696	WMIC.exe
Token: SeBackupPrivilege	3060	wbengine.exe
Token: SeRestorePrivilege	3060	wbengine.exe
Token: SeSecurityPrivilege	3060	wbengine.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.execmd.execmd.exe

description	pid	process	target process
PID 3976 wrote to memory of 2908	3976	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
PID 3976 wrote to memory of 2908	3976	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
PID 3976 wrote to memory of 2908	3976	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
PID 2908 wrote to memory of 3324	2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe	cmd.exe
PID 2908 wrote to memory of 3324	2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe	cmd.exe
PID 2908 wrote to memory of 3160	2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe	cmd.exe
PID 2908 wrote to memory of 3160	2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe	cmd.exe
PID 3324 wrote to memory of 3384	3324	cmd.exe	vssadmin.exe
PID 3324 wrote to memory of 3384	3324	cmd.exe	vssadmin.exe
PID 3160 wrote to memory of 804	3160	cmd.exe	netsh.exe
PID 3160 wrote to memory of 804	3160	cmd.exe	netsh.exe
PID 3160 wrote to memory of 3412	3160	cmd.exe	netsh.exe
PID 3160 wrote to memory of 3412	3160	cmd.exe	netsh.exe
PID 3324 wrote to memory of 3696	3324	cmd.exe	WMIC.exe
PID 3324 wrote to memory of 3696	3324	cmd.exe	WMIC.exe
PID 3324 wrote to memory of 1988	3324	cmd.exe	bcdedit.exe
PID 3324 wrote to memory of 1988	3324	cmd.exe	bcdedit.exe
PID 3324 wrote to memory of 360	3324	cmd.exe	bcdedit.exe
PID 3324 wrote to memory of 360	3324	cmd.exe	bcdedit.exe
PID 3324 wrote to memory of 3140	3324	cmd.exe	wbadmin.exe
PID 3324 wrote to memory of 3140	3324	cmd.exe	wbadmin.exe

C:\Users\Admin\AppData\Local\Temp\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
"C:\Users\Admin\AppData\Local\Temp\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\3582-490\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908

C:\Users\Admin\AppData\Local\Temp\3582-490\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe"
3⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:3384

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1988

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:360

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:3140

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
PID:804

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
PID:3412

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:2528

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe b89347a4793e93c66bbce143c9152240 2eGbb/W81EK0agOsi/IHWQ.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:3508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3312

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Change Default File Association

1

T1042

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\60D57C~1.EXE
MD5
ea6ca220e55dc485188e579cbf841e8b

SHA1
6c4c57e97d3a49902a7b74010269201268580165

SHA256
98f4efc747891dfec1ff14b19e67473d3637238d6570072b090fc7cc349d29cf

SHA512
3c8e313ebe5906c0b1a5823c2d38c47c349bb1d202a9e2a8552ff34bb74ef3c42548186536557ff40d74232ebdac9331441d4a31d941b123798567e29200ed28

Download Submit
C:\Users\Admin\AppData\Local\60D57C~1.EXE
MD5
346060bba164540a48a2c1884d140123

SHA1
568de53a8ef80b5c280f0dff005df6ef255c146b

SHA256
b2e9524b0f98d2ba59e1be46e563658aed8094dbb2296a0d18f7ec473759867f

SHA512
e91eadeab9f231e73a2ff5fb69b5e8ccb2ba744766ec6b1aea501d196b949028c28118f2b176c815655c5ededb3828f1c2513c0257a419196520b3b3f313f964

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
MD5
ea6ca220e55dc485188e579cbf841e8b

SHA1
6c4c57e97d3a49902a7b74010269201268580165

SHA256
98f4efc747891dfec1ff14b19e67473d3637238d6570072b090fc7cc349d29cf

SHA512
3c8e313ebe5906c0b1a5823c2d38c47c349bb1d202a9e2a8552ff34bb74ef3c42548186536557ff40d74232ebdac9331441d4a31d941b123798567e29200ed28

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
MD5
ea6ca220e55dc485188e579cbf841e8b

SHA1
6c4c57e97d3a49902a7b74010269201268580165

SHA256
98f4efc747891dfec1ff14b19e67473d3637238d6570072b090fc7cc349d29cf

SHA512
3c8e313ebe5906c0b1a5823c2d38c47c349bb1d202a9e2a8552ff34bb74ef3c42548186536557ff40d74232ebdac9331441d4a31d941b123798567e29200ed28

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
MD5
ea6ca220e55dc485188e579cbf841e8b

SHA1
6c4c57e97d3a49902a7b74010269201268580165

SHA256
98f4efc747891dfec1ff14b19e67473d3637238d6570072b090fc7cc349d29cf

SHA512
3c8e313ebe5906c0b1a5823c2d38c47c349bb1d202a9e2a8552ff34bb74ef3c42548186536557ff40d74232ebdac9331441d4a31d941b123798567e29200ed28

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\60D57C~1.EXE
MD5
ea6ca220e55dc485188e579cbf841e8b

SHA1
6c4c57e97d3a49902a7b74010269201268580165

SHA256
98f4efc747891dfec1ff14b19e67473d3637238d6570072b090fc7cc349d29cf

SHA512
3c8e313ebe5906c0b1a5823c2d38c47c349bb1d202a9e2a8552ff34bb74ef3c42548186536557ff40d74232ebdac9331441d4a31d941b123798567e29200ed28

Download Submit
C:\odt\office2016setup.exe
MD5
eaef77887eb853c76c8328b36ca89d26

SHA1
6392e91a4e094ad2bc939ac2351ccb9c3b3b1fdf

SHA256
24afd72b465ee8a1d2ae3594b3d43a6cc1a12baa63f7cbf36d460849a7dda630

SHA512
6489f7328e03ab31e5494facaf55d848f9829ac4ddd8db0d0aacf700d777a12e1fa811842459b3b2470af1bfbc4fa8bb380d81cc483a4eb3f9ec4761802eae80

Download Submit

pid	process
2908	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe
1528	60d57c278bab55af5023a16578492fa5_AntiRecuvaAndDB.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads