Analysis
-
max time kernel
4294196s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
28-02-2022 18:42
Static task
static1
Behavioral task
behavioral1
Sample
7eb1b46c43a2290eb2631ea061da7258591e37da9f784e9dc890f1a27d292d9e.msi
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
7eb1b46c43a2290eb2631ea061da7258591e37da9f784e9dc890f1a27d292d9e.msi
Resource
win10v2004-en-20220112
General
-
Target
7eb1b46c43a2290eb2631ea061da7258591e37da9f784e9dc890f1a27d292d9e.msi
-
Size
5.8MB
-
MD5
114daaf4ec2fa86c801300439044d946
-
SHA1
9da80d1bed43da4c74f4a0957a580d4e7839f434
-
SHA256
7eb1b46c43a2290eb2631ea061da7258591e37da9f784e9dc890f1a27d292d9e
-
SHA512
ec9333ab61e3e61b4c373dc349d8ecff7145c6bc59b409b658ea2bd2c45ad441ce1a121ac9515764c8c2d2642c5175b8ca6d40328cf84f700dd156e2fbaeb8e0
Malware Config
Signatures
-
Babadeda Crypter 3 IoCs
resource yara_rule behavioral1/files/0x0006000000014a88-110.dat family_babadeda behavioral1/memory/944-131-0x0000000003F90000-0x0000000008190000-memory.dmp family_babadeda behavioral1/memory/1984-133-0x0000000003E60000-0x0000000008060000-memory.dmp family_babadeda -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 8 IoCs
pid Process 860 bcdedit.exe 948 bcdedit.exe 2240 bcdedit.exe 2248 bcdedit.exe 2940 bcdedit.exe 2984 bcdedit.exe 3008 bcdedit.exe 3016 bcdedit.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 824 msiexec.exe 4 956 msiexec.exe -
pid Process 1544 wbadmin.exe 2256 wbadmin.exe 3024 wbadmin.exe 3032 wbadmin.exe -
Executes dropped EXE 4 IoCs
pid Process 1736 AAMCustomHook.exe 944 PDapp.exe 1760 PDapp.exe 1984 PDapp.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\PDapp.exe PDapp.exe -
Loads dropped DLL 63 IoCs
pid Process 1884 MsiExec.exe 1884 MsiExec.exe 1884 MsiExec.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1760 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe 1984 PDapp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\PDapp = "C:\\Users\\Admin\\AppData\\Local\\PDapp.exe" PDapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDapp = "C:\\Users\\Admin\\AppData\\Local\\PDapp.exe" PDapp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\PDapp = "C:\\Users\\Admin\\AppData\\Local\\PDapp.exe" PDapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PDapp = "C:\\Users\\Admin\\AppData\\Local\\PDapp.exe" PDapp.exe -
Drops desktop.ini file(s) 43 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72C1GWO9\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini PDapp.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini PDapp.exe File opened for modification C:\Program Files\desktop.ini PDapp.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini PDapp.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini PDapp.exe File opened for modification C:\Users\Public\Libraries\desktop.ini PDapp.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini PDapp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini PDapp.exe File opened for modification C:\Users\Public\Downloads\desktop.ini PDapp.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini PDapp.exe File opened for modification C:\Users\Public\Videos\desktop.ini PDapp.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\M7YMRK48\desktop.ini PDapp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini PDapp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini PDapp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini PDapp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini PDapp.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI PDapp.exe File opened for modification C:\Users\Public\Music\desktop.ini PDapp.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\Videos\desktop.ini PDapp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7HKSP8D\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\Links\desktop.ini PDapp.exe File opened for modification C:\Program Files (x86)\desktop.ini PDapp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini PDapp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AGWPI80M\desktop.ini PDapp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini PDapp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini PDapp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini PDapp.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\1047x576black.png PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00126_.WMF PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00703L.GIF PDapp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll PDapp.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF PDapp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml PDapp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar PDapp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml PDapp.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG PDapp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png PDapp.exe File created C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl PDapp.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00136_.WMF.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files\DVD Maker\Shared\Parity.fx PDapp.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSRTEDIT.DLL PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub PDapp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css PDapp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_ja.jar PDapp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.INF PDapp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui PDapp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_es.dub PDapp.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png PDapp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG PDapp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar PDapp.exe File opened for modification C:\Program Files\Java\jre7\bin\verify.dll PDapp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js PDapp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png PDapp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui PDapp.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css PDapp.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Andorra PDapp.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200273.WMF.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36B.GIF PDapp.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll PDapp.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui PDapp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar PDapp.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html PDapp.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222021.WMF.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293234.WMF PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF PDapp.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\de-DE\wordpad.exe.mui PDapp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js PDapp.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar PDapp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF PDapp.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ja.pak.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File created C:\Program Files\Java\jre7\lib\zi\America\Boise.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE11.POC.id[7B8E6852-2686].[[email protected]].Devos PDapp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00092_.GIF PDapp.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\Installer\f7650af.msi msiexec.exe File opened for modification C:\Windows\Installer\f7650af.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5391.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI543E.tmp msiexec.exe File created C:\Windows\Installer\f7650b1.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI58E1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI520A.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\f7650b1.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Detects BABADEDA Crypter 3 IoCs
Detects BABADEDA Crypter.
resource yara_rule behavioral1/files/0x0006000000014a88-110.dat BABADEDA_Crypter behavioral1/memory/944-131-0x0000000003F90000-0x0000000008190000-memory.dmp BABADEDA_Crypter behavioral1/memory/1984-133-0x0000000003E60000-0x0000000008060000-memory.dmp BABADEDA_Crypter -
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2584 vssadmin.exe 2592 vssadmin.exe 1640 vssadmin.exe 820 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 956 msiexec.exe 956 msiexec.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe 944 PDapp.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 944 PDapp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 824 msiexec.exe Token: SeIncreaseQuotaPrivilege 824 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeSecurityPrivilege 956 msiexec.exe Token: SeCreateTokenPrivilege 824 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 824 msiexec.exe Token: SeLockMemoryPrivilege 824 msiexec.exe Token: SeIncreaseQuotaPrivilege 824 msiexec.exe Token: SeMachineAccountPrivilege 824 msiexec.exe Token: SeTcbPrivilege 824 msiexec.exe Token: SeSecurityPrivilege 824 msiexec.exe Token: SeTakeOwnershipPrivilege 824 msiexec.exe Token: SeLoadDriverPrivilege 824 msiexec.exe Token: SeSystemProfilePrivilege 824 msiexec.exe Token: SeSystemtimePrivilege 824 msiexec.exe Token: SeProfSingleProcessPrivilege 824 msiexec.exe Token: SeIncBasePriorityPrivilege 824 msiexec.exe Token: SeCreatePagefilePrivilege 824 msiexec.exe Token: SeCreatePermanentPrivilege 824 msiexec.exe Token: SeBackupPrivilege 824 msiexec.exe Token: SeRestorePrivilege 824 msiexec.exe Token: SeShutdownPrivilege 824 msiexec.exe Token: SeDebugPrivilege 824 msiexec.exe Token: SeAuditPrivilege 824 msiexec.exe Token: SeSystemEnvironmentPrivilege 824 msiexec.exe Token: SeChangeNotifyPrivilege 824 msiexec.exe Token: SeRemoteShutdownPrivilege 824 msiexec.exe Token: SeUndockPrivilege 824 msiexec.exe Token: SeSyncAgentPrivilege 824 msiexec.exe Token: SeEnableDelegationPrivilege 824 msiexec.exe Token: SeManageVolumePrivilege 824 msiexec.exe Token: SeImpersonatePrivilege 824 msiexec.exe Token: SeCreateGlobalPrivilege 824 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeRestorePrivilege 956 msiexec.exe Token: SeTakeOwnershipPrivilege 956 msiexec.exe Token: SeDebugPrivilege 944 PDapp.exe Token: SeBackupPrivilege 824 vssvc.exe Token: SeRestorePrivilege 824 vssvc.exe Token: SeAuditPrivilege 824 vssvc.exe Token: SeIncreaseQuotaPrivilege 1468 WMIC.exe Token: SeSecurityPrivilege 1468 WMIC.exe Token: SeTakeOwnershipPrivilege 1468 WMIC.exe Token: SeLoadDriverPrivilege 1468 WMIC.exe Token: SeSystemProfilePrivilege 1468 WMIC.exe Token: SeSystemtimePrivilege 1468 WMIC.exe Token: SeProfSingleProcessPrivilege 1468 WMIC.exe Token: SeIncBasePriorityPrivilege 1468 WMIC.exe Token: SeCreatePagefilePrivilege 1468 WMIC.exe Token: SeBackupPrivilege 1468 WMIC.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 824 msiexec.exe 824 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 956 wrote to memory of 1884 956 msiexec.exe 28 PID 956 wrote to memory of 1884 956 msiexec.exe 28 PID 956 wrote to memory of 1884 956 msiexec.exe 28 PID 956 wrote to memory of 1884 956 msiexec.exe 28 PID 956 wrote to memory of 1884 956 msiexec.exe 28 PID 956 wrote to memory of 1884 956 msiexec.exe 28 PID 956 wrote to memory of 1884 956 msiexec.exe 28 PID 956 wrote to memory of 1736 956 msiexec.exe 29 PID 956 wrote to memory of 1736 956 msiexec.exe 29 PID 956 wrote to memory of 1736 956 msiexec.exe 29 PID 956 wrote to memory of 1736 956 msiexec.exe 29 PID 956 wrote to memory of 944 956 msiexec.exe 30 PID 956 wrote to memory of 944 956 msiexec.exe 30 PID 956 wrote to memory of 944 956 msiexec.exe 30 PID 956 wrote to memory of 944 956 msiexec.exe 30 PID 944 wrote to memory of 1152 944 PDapp.exe 33 PID 944 wrote to memory of 1152 944 PDapp.exe 33 PID 944 wrote to memory of 1152 944 PDapp.exe 33 PID 944 wrote to memory of 1152 944 PDapp.exe 33 PID 944 wrote to memory of 1196 944 PDapp.exe 34 PID 944 wrote to memory of 1196 944 PDapp.exe 34 PID 944 wrote to memory of 1196 944 PDapp.exe 34 PID 944 wrote to memory of 1196 944 PDapp.exe 34 PID 1196 wrote to memory of 1268 1196 cmd.exe 37 PID 1196 wrote to memory of 1268 1196 cmd.exe 37 PID 1196 wrote to memory of 1268 1196 cmd.exe 37 PID 1152 wrote to memory of 1640 1152 cmd.exe 38 PID 1152 wrote to memory of 1640 1152 cmd.exe 38 PID 1152 wrote to memory of 1640 1152 cmd.exe 38 PID 1708 wrote to memory of 820 1708 cmd.exe 44 PID 1708 wrote to memory of 820 1708 cmd.exe 44 PID 1708 wrote to memory of 820 1708 cmd.exe 44 PID 576 wrote to memory of 2024 576 cmd.exe 45 PID 576 wrote to memory of 2024 576 cmd.exe 45 PID 576 wrote to memory of 2024 576 cmd.exe 45 PID 1196 wrote to memory of 764 1196 cmd.exe 46 PID 1196 wrote to memory of 764 1196 cmd.exe 46 PID 1196 wrote to memory of 764 1196 cmd.exe 46 PID 576 wrote to memory of 1532 576 cmd.exe 47 PID 576 wrote to memory of 1532 576 cmd.exe 47 PID 576 wrote to memory of 1532 576 cmd.exe 47 PID 1708 wrote to memory of 1468 1708 cmd.exe 49 PID 1708 wrote to memory of 1468 1708 cmd.exe 49 PID 1708 wrote to memory of 1468 1708 cmd.exe 49 PID 1708 wrote to memory of 860 1708 cmd.exe 51 PID 1708 wrote to memory of 860 1708 cmd.exe 51 PID 1708 wrote to memory of 860 1708 cmd.exe 51 PID 1708 wrote to memory of 948 1708 cmd.exe 52 PID 1708 wrote to memory of 948 1708 cmd.exe 52 PID 1708 wrote to memory of 948 1708 cmd.exe 52 PID 1708 wrote to memory of 1544 1708 cmd.exe 53 PID 1708 wrote to memory of 1544 1708 cmd.exe 53 PID 1708 wrote to memory of 1544 1708 cmd.exe 53 PID 1152 wrote to memory of 2208 1152 cmd.exe 58 PID 1152 wrote to memory of 2208 1152 cmd.exe 58 PID 1152 wrote to memory of 2208 1152 cmd.exe 58 PID 1152 wrote to memory of 2240 1152 cmd.exe 59 PID 1152 wrote to memory of 2240 1152 cmd.exe 59 PID 1152 wrote to memory of 2240 1152 cmd.exe 59 PID 1152 wrote to memory of 2248 1152 cmd.exe 60 PID 1152 wrote to memory of 2248 1152 cmd.exe 60 PID 1152 wrote to memory of 2248 1152 cmd.exe 60 PID 1152 wrote to memory of 2256 1152 cmd.exe 61 PID 1152 wrote to memory of 2256 1152 cmd.exe 61
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7eb1b46c43a2290eb2631ea061da7258591e37da9f784e9dc890f1a27d292d9e.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:824
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1CA0DD9952A851B1122934DE4634C0B22⤵
- Loads dropped DLL
PID:1884
-
-
C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\AAMCustomHook.exe"C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\AAMCustomHook.exe"2⤵
- Executes dropped EXE
PID:1736
-
-
C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe"C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe"C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1760 -
C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe"C:\Users\Admin\AppData\Roaming\AlfaReader\lfaReader Install\PDapp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off5⤵PID:2024
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable5⤵PID:1532
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:820
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:860
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:948
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:1544
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"4⤵
- Modifies Internet Explorer settings
PID:2416
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"4⤵
- Modifies Internet Explorer settings
PID:2440
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"4⤵
- Modifies Internet Explorer settings
PID:2500
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:2524
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:2592
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:2804
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:2984
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:3008
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:3024
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1640
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:2208
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2240
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2248
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2256
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵PID:1268
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵PID:764
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"3⤵
- Modifies Internet Explorer settings
PID:2408
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"3⤵
- Modifies Internet Explorer settings
PID:2456
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"3⤵
- Modifies Internet Explorer settings
PID:2468
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2488
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2584
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:2796
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2940
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:3016
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3032
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:824
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:848
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:844
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:632