phobos | aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef

General

Target

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
Size

664KB
MD5

acf73cf8ddfb182b8559779f8a165e49
SHA1

d944a1bc327f26b8c17345d04986ef0437d85484
SHA256

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef
SHA512

284a26b9165b58c9a531364bb7609abdc38868efd38878b0cdf78bed45ef0ee73a83719ec972ee86416dddc0e9ab698ed387537e12c9aed75d81ad817a3c8fd0

Score

10^/10

phobos discovery evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3180 created 3080 3180 svchost.exe aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

308 netsh.exe
4520 netsh.exe

description	pid	process	target process
PID 3180 created 3080	3180	svchost.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

pid	process
308	netsh.exe
4520	netsh.exe

Drops startup file 1 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef = "C:\\Users\\Admin\\AppData\\Local\\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef = "C:\\Users\\Admin\\AppData\\Local\\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2660308776-3705150086-26593515-1000\desktop.ini	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\desktop.ini	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exeaa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

description	pid	process	target process
PID 4264 set thread context of 3080	4264	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 2016 set thread context of 3092	2016	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Drops file in Program Files directory 64 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\ringless_calls\Ringlesscalling_25more_360x120_2x.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-white.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-125_contrast-black.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-32.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-200.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\agavedefaulticon96x96.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\StandardShader.vs.cso	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256_altform-lightunplated.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\msvcp140_1_app.dll	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-lightunplated.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\PHONE.XML	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-125.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ar.pak.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\controllers.js	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\km-KH\View3d\3DViewerProductDescription-universal.xml	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-24_altform-unplated.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\ui-strings.js	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-60_contrast-white.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p3.mp4	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated_contrast-white.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-125.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IO.Log.Resources.dll	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-unplated.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Windows.dll	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-200.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmagnify_plugin.dll.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libprojectm_plugin.dll.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-200.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-up.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.ini.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Mozilla Firefox\xul.dll.sig.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\LargeTile.scale-100_contrast-white.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons.png	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.bat.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-stdio-l1-1-0.dll.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfigOnLogon.xml.id[693E9983-2275].[[email protected]].Adame	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

pid	process
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 3180 svchost.exe
Token: SeTcbPrivilege 3180 svchost.exe

description	pid	process
Token: SeTcbPrivilege	3180	svchost.exe
Token: SeTcbPrivilege	3180	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exeaa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

pid	process
4264	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
2016	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exesvchost.exeaa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exeaa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.execmd.exe

description	pid	process	target process
PID 4264 wrote to memory of 3080	4264	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 4264 wrote to memory of 3080	4264	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 4264 wrote to memory of 3080	4264	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 3180 wrote to memory of 2016	3180	svchost.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 3180 wrote to memory of 2016	3180	svchost.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 3180 wrote to memory of 2016	3180	svchost.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 2016 wrote to memory of 3092	2016	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 2016 wrote to memory of 3092	2016	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 2016 wrote to memory of 3092	2016	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
PID 3080 wrote to memory of 4792	3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	cmd.exe
PID 3080 wrote to memory of 4792	3080	aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe	cmd.exe
PID 4792 wrote to memory of 308	4792	cmd.exe	netsh.exe
PID 4792 wrote to memory of 308	4792	cmd.exe	netsh.exe
PID 4792 wrote to memory of 4520	4792	cmd.exe	netsh.exe
PID 4792 wrote to memory of 4520	4792	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
"C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
  C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
    "C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe
      C:\Users\Admin\AppData\Local\Temp\aa193db9460c9e0fd373d2fb1f84b1c4485f559ae97db128a267d530c24efdef.exe"
      4⤵
      PID:3092
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4792
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      PID:308
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      Modifies Windows Firewall
      PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-153-0x0000000000000000-mapping.dmp

Download
memory/2016-143-0x0000000000000000-mapping.dmp

Download
memory/2016-151-0x0000000077C20000-0x0000000077DC3000-memory.dmp

Filesize
1.6MB

Download
memory/2016-150-0x00007FFE7DA10000-0x00007FFE7DC05000-memory.dmp

Filesize
2.0MB

Download
memory/2016-149-0x0000000002190000-0x0000000002197000-memory.dmp

Filesize
28KB

Download
memory/3080-137-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/3080-133-0x0000000000000000-mapping.dmp

Download
memory/3080-144-0x00007FFE7DA10000-0x00007FFE7DC05000-memory.dmp

Filesize
2.0MB

Download
memory/3080-166-0x0000000077C20000-0x0000000077DC3000-memory.dmp

Filesize
1.6MB

Download
memory/3080-145-0x0000000077C20000-0x0000000077DC3000-memory.dmp

Filesize
1.6MB

Download
memory/3080-165-0x00007FFE7DA10000-0x00007FFE7DC05000-memory.dmp

Filesize
2.0MB

Download
memory/3080-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3080-155-0x00000000006F0000-0x00000000006F7000-memory.dmp

Filesize
28KB

Download
memory/3092-162-0x00000000005E0000-0x00000000005E7000-memory.dmp

Filesize
28KB

Download
memory/3092-163-0x00007FFE7DA10000-0x00007FFE7DC05000-memory.dmp

Filesize
2.0MB

Download
memory/3092-164-0x0000000077C20000-0x0000000077DC3000-memory.dmp

Filesize
1.6MB

Download
memory/3092-148-0x0000000000000000-mapping.dmp

Download
memory/4264-134-0x00007FFE7DA10000-0x00007FFE7DC05000-memory.dmp

Filesize
2.0MB

Download
memory/4264-136-0x0000000077C20000-0x0000000077DC3000-memory.dmp

Filesize
1.6MB

Download
memory/4264-135-0x00000000006D0000-0x00000000006D7000-memory.dmp

Filesize
28KB

Download
memory/4264-132-0x00000000006D0000-0x00000000006D7000-memory.dmp

Filesize
28KB

Download
memory/4520-154-0x0000000000000000-mapping.dmp

Download
memory/4792-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads