babadeda | 50e7fed85e8f6fe0000a538d55221cc579fcf2576f5cf96ab717df4a3f14e8c1

Analysis

max time kernel
159s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
13-02-2022 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
Size

9.6MB
MD5

cc2631ac48d53e47f9958142730d8132
SHA1

ef9a754f025b682c7bf8d21fa59cb71e4a8c1be7
SHA256

6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44
SHA512

acc02eb8fcf5640503e1bd723121f16d9852553621b6c046159ca0358bbccd8f5455151e8ce0deee3907c31e2e4562bb61c52927fb728a3052833f116749e4c8

Score

10^/10

babadeda phobos crypter evasion loader persistence ransomware spyware stealer trojan

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 3 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e8b6-158.dat	family_babadeda
behavioral2/memory/864-176-0x0000000004FF0000-0x00000000091F0000-memory.dmp	family_babadeda
behavioral2/memory/4664-178-0x0000000004D00000-0x0000000008F00000-memory.dmp	family_babadeda

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4464 created 864	4464	svchost.exe	83

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4712	bcdedit.exe
1928	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4752	wbadmin.exe

Executes dropped EXE 2 IoCs

pid	Process
864	PDapp.exe
4664	PDapp.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\PDapp.exe	PDapp.exe

Loads dropped DLL 26 IoCs

pid	Process
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
4664	PDapp.exe
4664	PDapp.exe
4664	PDapp.exe
4664	PDapp.exe
4664	PDapp.exe
4664	PDapp.exe
4664	PDapp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDapp = "C:\\Users\\Admin\\AppData\\Local\\PDapp.exe"	PDapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDapp = "C:\\Users\\Admin\\AppData\\Local\\PDapp.exe"	PDapp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	PDapp.exe
File opened for modification	C:\Program Files\desktop.ini	PDapp.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui	PDapp.exe
File created	C:\Program Files\7-Zip\7zFM.exe.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll	PDapp.exe
File created	C:\Program Files\CompareEdit.mp4v.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	PDapp.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui	PDapp.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File created	C:\Program Files\7-Zip\7z.sfx.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsesp.xml	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll	PDapp.exe
File created	C:\Program Files\CompareRevoke.xml.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdfmap.dll	PDapp.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\drive.crx	PDapp.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	PDapp.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador28.tlb	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdaosp.dll	PDapp.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	PDapp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adovbs.inc	PDapp.exe
File opened for modification	C:\Program Files\CompareRevoke.xml	PDapp.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll	PDapp.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdasql.dll	PDapp.exe
File opened for modification	C:\Program Files\DenyGrant.cab	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui	PDapp.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	PDapp.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll	PDapp.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	PDapp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui	PDapp.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.id[ABFFA09A-2686].[[email protected]].Devos	PDapp.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadrh15.dll	PDapp.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3440	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe
864	PDapp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2832	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2832	AUDIODG.EXE
Token: SeTcbPrivilege	4464	svchost.exe
Token: SeTcbPrivilege	4464	svchost.exe
Token: SeShutdownPrivilege	4852	svchost.exe
Token: SeCreatePagefilePrivilege	4852	svchost.exe
Token: SeShutdownPrivilege	4852	svchost.exe
Token: SeCreatePagefilePrivilege	4852	svchost.exe
Token: SeShutdownPrivilege	4852	svchost.exe
Token: SeCreatePagefilePrivilege	4852	svchost.exe
Token: SeDebugPrivilege	864	PDapp.exe
Token: SeBackupPrivilege	4836	vssvc.exe
Token: SeRestorePrivilege	4836	vssvc.exe
Token: SeAuditPrivilege	4836	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4184	WMIC.exe
Token: SeSecurityPrivilege	4184	WMIC.exe
Token: SeTakeOwnershipPrivilege	4184	WMIC.exe
Token: SeLoadDriverPrivilege	4184	WMIC.exe
Token: SeSystemProfilePrivilege	4184	WMIC.exe
Token: SeSystemtimePrivilege	4184	WMIC.exe
Token: SeProfSingleProcessPrivilege	4184	WMIC.exe
Token: SeIncBasePriorityPrivilege	4184	WMIC.exe
Token: SeCreatePagefilePrivilege	4184	WMIC.exe
Token: SeBackupPrivilege	4184	WMIC.exe
Token: SeRestorePrivilege	4184	WMIC.exe
Token: SeShutdownPrivilege	4184	WMIC.exe
Token: SeDebugPrivilege	4184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4184	WMIC.exe
Token: SeRemoteShutdownPrivilege	4184	WMIC.exe
Token: SeUndockPrivilege	4184	WMIC.exe
Token: SeManageVolumePrivilege	4184	WMIC.exe
Token: 33	4184	WMIC.exe
Token: 34	4184	WMIC.exe
Token: 35	4184	WMIC.exe
Token: 36	4184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4184	WMIC.exe
Token: SeSecurityPrivilege	4184	WMIC.exe
Token: SeTakeOwnershipPrivilege	4184	WMIC.exe
Token: SeLoadDriverPrivilege	4184	WMIC.exe
Token: SeSystemProfilePrivilege	4184	WMIC.exe
Token: SeSystemtimePrivilege	4184	WMIC.exe
Token: SeProfSingleProcessPrivilege	4184	WMIC.exe
Token: SeIncBasePriorityPrivilege	4184	WMIC.exe
Token: SeCreatePagefilePrivilege	4184	WMIC.exe
Token: SeBackupPrivilege	4184	WMIC.exe
Token: SeRestorePrivilege	4184	WMIC.exe
Token: SeShutdownPrivilege	4184	WMIC.exe
Token: SeDebugPrivilege	4184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4184	WMIC.exe
Token: SeRemoteShutdownPrivilege	4184	WMIC.exe
Token: SeUndockPrivilege	4184	WMIC.exe
Token: SeManageVolumePrivilege	4184	WMIC.exe
Token: 33	4184	WMIC.exe
Token: 34	4184	WMIC.exe
Token: 35	4184	WMIC.exe
Token: 36	4184	WMIC.exe
Token: SeBackupPrivilege	2704	wbengine.exe
Token: SeRestorePrivilege	2704	wbengine.exe
Token: SeSecurityPrivilege	2704	wbengine.exe
Token: SeSecurityPrivilege	296	TiWorker.exe
Token: SeRestorePrivilege	296	TiWorker.exe
Token: SeBackupPrivilege	296	TiWorker.exe
Token: SeBackupPrivilege	296	TiWorker.exe
Token: SeRestorePrivilege	296	TiWorker.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 864	4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe	83
PID 4144 wrote to memory of 864	4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe	83
PID 4144 wrote to memory of 864	4144	6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe	83
PID 4464 wrote to memory of 4664	4464	svchost.exe	89
PID 4464 wrote to memory of 4664	4464	svchost.exe	89
PID 4464 wrote to memory of 4664	4464	svchost.exe	89
PID 864 wrote to memory of 1220	864	PDapp.exe	98
PID 864 wrote to memory of 1220	864	PDapp.exe	98
PID 864 wrote to memory of 1496	864	PDapp.exe	95
PID 864 wrote to memory of 1496	864	PDapp.exe	95
PID 1496 wrote to memory of 3480	1496	cmd.exe	100
PID 1496 wrote to memory of 3480	1496	cmd.exe	100
PID 1220 wrote to memory of 3440	1220	cmd.exe	99
PID 1220 wrote to memory of 3440	1220	cmd.exe	99
PID 1496 wrote to memory of 3588	1496	cmd.exe	103
PID 1496 wrote to memory of 3588	1496	cmd.exe	103
PID 1220 wrote to memory of 4184	1220	cmd.exe	108
PID 1220 wrote to memory of 4184	1220	cmd.exe	108
PID 1220 wrote to memory of 4712	1220	cmd.exe	109
PID 1220 wrote to memory of 4712	1220	cmd.exe	109
PID 1220 wrote to memory of 1928	1220	cmd.exe	110
PID 1220 wrote to memory of 1928	1220	cmd.exe	110
PID 1220 wrote to memory of 4752	1220	cmd.exe	111
PID 1220 wrote to memory of 4752	1220	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe
"C:\Users\Admin\AppData\Local\Temp\6d67d7c74a5a110c3d06c7c5d769aef148bfdb8587056fa69873e8d43dc9fe44.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Roaming\DeltaConfig\PDapp.exe
  C:\Users\Admin\AppData\Roaming\DeltaConfig\PDapp.exe
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Roaming\DeltaConfig\PDapp.exe
    "C:\Users\Admin\AppData\Roaming\DeltaConfig\PDapp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4664
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      PID:3480
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      PID:3588
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4184
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4712
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1928
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:4752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1052

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-159-0x0000000003160000-0x0000000003173000-memory.dmp

Filesize
76KB

Download
memory/864-176-0x0000000004FF0000-0x00000000091F0000-memory.dmp

Filesize
66.0MB

Download
memory/4664-172-0x00000000036D0000-0x00000000036E3000-memory.dmp

Filesize
76KB

Download
memory/4664-178-0x0000000004D00000-0x0000000008F00000-memory.dmp

Filesize
66.0MB

Download
memory/4852-179-0x000001F9E1540000-0x000001F9E1550000-memory.dmp

Filesize
64KB

Download
memory/4852-177-0x000001F9E1320000-0x000001F9E1330000-memory.dmp

Filesize
64KB

Download
memory/4852-180-0x000001F9E3A40000-0x000001F9E3A44000-memory.dmp

Filesize
16KB

Download