neshta | 2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
Size

97KB
MD5

54c2b90fd9364cd39cecff8ab112b825
SHA1

96c0c98dcce84e3bbec643083ce675664173bfd2
SHA256

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba
SHA512

2e243d990243a80908531f3dc8910df796be6c87b964fbd84192e8161463d4460b552b5136379e789741f80abddfe77e77e81c4dcca9057881959a0d9dc1f3ce
SSDEEP

1536:JxqjQ+P04wsmJCGf0sKkr0EU5NeRBl5PT/rx1mzwRMSTdLpJUM:sr85CG07QRrmzwR5Jx

Score

10^/10

neshta phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta payload 1 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1948 bcdedit.exe
1264 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2032 wbadmin.exe

pid	process
1948	bcdedit.exe
1264	bcdedit.exe

pid	process
2032	wbadmin.exe

Executes dropped EXE 2 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

pid	process
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1304	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1120 netsh.exe
1264 netsh.exe

pid	process
1120	netsh.exe
1264	netsh.exe

Drops startup file 1 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Loads dropped DLL 12 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exeMsiExec.exemsiexec.exeMsiExec.exe

pid	process
620	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
620	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
620	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
1600	MsiExec.exe
904	msiexec.exe
904	msiexec.exe
212	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba = "C:\\Users\\Admin\\AppData\\Local\\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba = "C:\\Users\\Admin\\AppData\\Local\\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Drops desktop.ini file(s) 10 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jre7\release	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Management.Instrumentation.Resources.dll	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mauritius.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Printing.resources.dll	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jre7\bin\jp2ssv.dll.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Budapest.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Puerto_Rico.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es-419.pak	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\charsets.jar.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\snmp.acl.template	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine_2.3.0.v20140506-1720.jar.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CST6CDT	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Internet Explorer\ieproxy.dll	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\SendSync.wpl.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.id[7A23E49D-3404].[[email protected]].Elbie	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Drops file in Windows directory 13 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
File created	C:\Windows\Installer\6d585e.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A59.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C8E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI921A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6d585e.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D6D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6386.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6635.tmp	msiexec.exe
File created	C:\Windows\Installer\6d5860.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BA2.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1764 vssadmin.exe

pid	process
1764	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

pid	process
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exevssvc.exemsiexec.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
Token: SeBackupPrivilege	1320	vssvc.exe
Token: SeRestorePrivilege	1320	vssvc.exe
Token: SeAuditPrivilege	1320	vssvc.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeSecurityPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1392	WMIC.exe
Token: SeSecurityPrivilege	1392	WMIC.exe
Token: SeTakeOwnershipPrivilege	1392	WMIC.exe
Token: SeLoadDriverPrivilege	1392	WMIC.exe
Token: SeSystemProfilePrivilege	1392	WMIC.exe
Token: SeSystemtimePrivilege	1392	WMIC.exe
Token: SeProfSingleProcessPrivilege	1392	WMIC.exe
Token: SeIncBasePriorityPrivilege	1392	WMIC.exe
Token: SeCreatePagefilePrivilege	1392	WMIC.exe
Token: SeBackupPrivilege	1392	WMIC.exe
Token: SeRestorePrivilege	1392	WMIC.exe
Token: SeShutdownPrivilege	1392	WMIC.exe
Token: SeDebugPrivilege	1392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1392	WMIC.exe
Token: SeRemoteShutdownPrivilege	1392	WMIC.exe
Token: SeUndockPrivilege	1392	WMIC.exe
Token: SeManageVolumePrivilege	1392	WMIC.exe
Token: 33	1392	WMIC.exe
Token: 34	1392	WMIC.exe
Token: 35	1392	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1392	WMIC.exe
Token: SeSecurityPrivilege	1392	WMIC.exe
Token: SeTakeOwnershipPrivilege	1392	WMIC.exe
Token: SeLoadDriverPrivilege	1392	WMIC.exe
Token: SeSystemProfilePrivilege	1392	WMIC.exe
Token: SeSystemtimePrivilege	1392	WMIC.exe
Token: SeProfSingleProcessPrivilege	1392	WMIC.exe
Token: SeIncBasePriorityPrivilege	1392	WMIC.exe
Token: SeCreatePagefilePrivilege	1392	WMIC.exe
Token: SeBackupPrivilege	1392	WMIC.exe
Token: SeRestorePrivilege	1392	WMIC.exe
Token: SeShutdownPrivilege	1392	WMIC.exe
Token: SeDebugPrivilege	1392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1392	WMIC.exe
Token: SeRemoteShutdownPrivilege	1392	WMIC.exe
Token: SeUndockPrivilege	1392	WMIC.exe
Token: SeManageVolumePrivilege	1392	WMIC.exe
Token: 33	1392	WMIC.exe
Token: 34	1392	WMIC.exe
Token: 35	1392	WMIC.exe
Token: SeBackupPrivilege	1564	wbengine.exe
Token: SeRestorePrivilege	1564	wbengine.exe
Token: SeSecurityPrivilege	1564	wbengine.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe
Token: SeRestorePrivilege	904	msiexec.exe
Token: SeTakeOwnershipPrivilege	904	msiexec.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.execmd.execmd.exemsiexec.exe

description	pid	process	target process
PID 620 wrote to memory of 1252	620	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
PID 620 wrote to memory of 1252	620	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
PID 620 wrote to memory of 1252	620	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
PID 620 wrote to memory of 1252	620	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
PID 1252 wrote to memory of 1492	1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	cmd.exe
PID 1252 wrote to memory of 1492	1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	cmd.exe
PID 1252 wrote to memory of 1492	1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	cmd.exe
PID 1252 wrote to memory of 660	1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	cmd.exe
PID 1252 wrote to memory of 1492	1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	cmd.exe
PID 1252 wrote to memory of 660	1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	cmd.exe
PID 1252 wrote to memory of 660	1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	cmd.exe
PID 1252 wrote to memory of 660	1252	2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe	cmd.exe
PID 1492 wrote to memory of 1120	1492	cmd.exe	netsh.exe
PID 1492 wrote to memory of 1120	1492	cmd.exe	netsh.exe
PID 1492 wrote to memory of 1120	1492	cmd.exe	netsh.exe
PID 660 wrote to memory of 1764	660	cmd.exe	vssadmin.exe
PID 660 wrote to memory of 1764	660	cmd.exe	vssadmin.exe
PID 660 wrote to memory of 1764	660	cmd.exe	vssadmin.exe
PID 1492 wrote to memory of 1264	1492	cmd.exe	netsh.exe
PID 1492 wrote to memory of 1264	1492	cmd.exe	netsh.exe
PID 1492 wrote to memory of 1264	1492	cmd.exe	netsh.exe
PID 904 wrote to memory of 1600	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 1600	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 1600	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 1600	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 1600	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 1600	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 1600	904	msiexec.exe	MsiExec.exe
PID 660 wrote to memory of 1392	660	cmd.exe	WMIC.exe
PID 660 wrote to memory of 1392	660	cmd.exe	WMIC.exe
PID 660 wrote to memory of 1392	660	cmd.exe	WMIC.exe
PID 660 wrote to memory of 1948	660	cmd.exe	bcdedit.exe
PID 660 wrote to memory of 1948	660	cmd.exe	bcdedit.exe
PID 660 wrote to memory of 1948	660	cmd.exe	bcdedit.exe
PID 660 wrote to memory of 1264	660	cmd.exe	bcdedit.exe
PID 660 wrote to memory of 1264	660	cmd.exe	bcdedit.exe
PID 660 wrote to memory of 1264	660	cmd.exe	bcdedit.exe
PID 660 wrote to memory of 2032	660	cmd.exe	wbadmin.exe
PID 660 wrote to memory of 2032	660	cmd.exe	wbadmin.exe
PID 660 wrote to memory of 2032	660	cmd.exe	wbadmin.exe
PID 904 wrote to memory of 212	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 212	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 212	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 212	904	msiexec.exe	MsiExec.exe
PID 904 wrote to memory of 212	904	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
"C:\Users\Admin\AppData\Local\Temp\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"
1⤵
- Modifies system executable filetype association
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe"
    3⤵
    - Executes dropped EXE
    PID:1304
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1392
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1948
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1264
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2032
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      Modifies Windows Firewall
      PID:1120
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=disable
      4⤵
      Modifies Windows Firewall
      PID:1264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BAB2DED0D4CED0866E8B960EB7D0DCA3
  2⤵
  - Loads dropped DLL
  PID:1600
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A3242E4BC7F185050F27CA89F829DF8E
  2⤵
  - Loads dropped DLL
  PID:212

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:948

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
186KB

MD5
dd88cd2e2873a04f1b44b81e2a40ba87

SHA1
ee29ca31f99fa067cde7d35cec7e64cbb9111650

SHA256
83cd4395b42a80615a1267bb2a2e71dd8953f253f3d50b1d2020c3bc975d0678

SHA512
580c8d2ef4a58ef64885455b4d92dea544e7e56181629cd0146433990f7d8e94008c1b7ab8c4f0dae5ed9b6f14208b5c70f48d0c2168b3258a50ade2ec094fe6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.1MB

MD5
a8caf6e9fe85e20c76bcd41e23481d28

SHA1
bf0ace184cf72cd44abeafa80234290e8912dfe9

SHA256
30aa4e4097dd7f51fbdf7ee0a34d17e01a8feb0b677421ff704f85d8485b267b

SHA512
988228d5bfd7668eb744d102e2405ad1c9de8b9cec16fe75f97c1db1d158f0aafca94fa842b0a3420c2a1812a44f5739c5b2e4f1ac0a36c2d839bce4a56758e5

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
859KB

MD5
e13383b5b1f1eeadbc837a8c07ca8911

SHA1
3c3dce72323c4262962921dce61d8106f1578570

SHA256
51e4db873d14549cfc617f0a48ecfd06c6ec885917493e1e62476db55f6faed1

SHA512
dca8d18b24c267fdd8a66309ebfcdba0bb54885e7135508c9460bcb61b8dfb24a29cc2b9ad635a76a4d3ec34759869d93060fbda0ed04318106841c9b1c2ec7a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

Filesize
547KB

MD5
b70e12a99078046b5137685709b549ab

SHA1
05a8ca2e6bb4769b81f99d197a26d33201c1f726

SHA256
472490b5d497151edb0ce65fec9f236a262a39a17f5340d2f94de49e2d2c4a24

SHA512
76059ab7a263a13d2fb44d1eaaf42c6b5d6cbc6f3617f9d8aa1f304e43a9e8e8e287f7d5c32284165e32ff3c22bae06e7ac25174161490063120ea27628d67c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Filesize
56KB

MD5
0315ae9ac71bb7366887ccefd4ae80aa

SHA1
a60fb81131fc39e52e1854d0dc9ca358bb1d9983

SHA256
afd2d4ec293f67be46f6ad8bca6150867de652be66115ddd469ba8720fda40a7

SHA512
b56f195532fd835d72e207d5b2032b43b76c03c3d6c0cbd21d9546ff81b21abd41dd4c85888c1c4c24c7048dca61c1a63488ae9a4b90d5801389e37612165a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Filesize
56KB

MD5
0315ae9ac71bb7366887ccefd4ae80aa

SHA1
a60fb81131fc39e52e1854d0dc9ca358bb1d9983

SHA256
afd2d4ec293f67be46f6ad8bca6150867de652be66115ddd469ba8720fda40a7

SHA512
b56f195532fd835d72e207d5b2032b43b76c03c3d6c0cbd21d9546ff81b21abd41dd4c85888c1c4c24c7048dca61c1a63488ae9a4b90d5801389e37612165a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Filesize
56KB

MD5
0315ae9ac71bb7366887ccefd4ae80aa

SHA1
a60fb81131fc39e52e1854d0dc9ca358bb1d9983

SHA256
afd2d4ec293f67be46f6ad8bca6150867de652be66115ddd469ba8720fda40a7

SHA512
b56f195532fd835d72e207d5b2032b43b76c03c3d6c0cbd21d9546ff81b21abd41dd4c85888c1c4c24c7048dca61c1a63488ae9a4b90d5801389e37612165a23

Download Submit
C:\Windows\Installer\MSI5D6D.tmp

Filesize
257KB

MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
C:\Windows\Installer\MSI6386.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSI6635.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSI8A59.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\MSI8BE1.tmp

Filesize
148KB

MD5
33908aa43ac0aaabc06a58d51b1c2cca

SHA1
0a0d1ce3435abe2eed635481bac69e1999031291

SHA256
4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

SHA512
d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

Download Submit
C:\Windows\Installer\MSI8C8E.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSI921A.tmp

Filesize
86KB

MD5
ff58cd07bf4913ef899efd2dfb112553

SHA1
f14c1681de808543071602f17a6299f8b4ba2ae8

SHA256
1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

SHA512
23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL

Filesize
953KB

MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Program Files\Microsoft Office\Office14\VISSHE.DLL

Filesize
953KB

MD5
2f4759c23abcd639ac3ca7f8fa9480ac

SHA1
9a3fece585fa01b7b941e124ead0c39c8ce9bc7c

SHA256
6d66fa59407862e0fddfcb36472fe810eb308653321ca0e374ac870f9aa8cec6

SHA512
6ab14d6a8d3e9a751d68133e734cc804de2b50a7ef223d484d0f727cdfbd00d48f6e0666c3b86a0daf9ca42c0b726f6c2a088e5bb32c993748abfea7b5904ec6

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Filesize
56KB

MD5
0315ae9ac71bb7366887ccefd4ae80aa

SHA1
a60fb81131fc39e52e1854d0dc9ca358bb1d9983

SHA256
afd2d4ec293f67be46f6ad8bca6150867de652be66115ddd469ba8720fda40a7

SHA512
b56f195532fd835d72e207d5b2032b43b76c03c3d6c0cbd21d9546ff81b21abd41dd4c85888c1c4c24c7048dca61c1a63488ae9a4b90d5801389e37612165a23

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\2491121455a502cad9422ca91297c6fb89acb84ef8c26cc1a8bcebf694f9f5ba.exe

Filesize
56KB

MD5
0315ae9ac71bb7366887ccefd4ae80aa

SHA1
a60fb81131fc39e52e1854d0dc9ca358bb1d9983

SHA256
afd2d4ec293f67be46f6ad8bca6150867de652be66115ddd469ba8720fda40a7

SHA512
b56f195532fd835d72e207d5b2032b43b76c03c3d6c0cbd21d9546ff81b21abd41dd4c85888c1c4c24c7048dca61c1a63488ae9a4b90d5801389e37612165a23

Download Submit
\Windows\Installer\MSI5D6D.tmp

Filesize
257KB

MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
\Windows\Installer\MSI6386.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Windows\Installer\MSI6635.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Windows\Installer\MSI8A59.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
\Windows\Installer\MSI8BE1.tmp

Filesize
148KB

MD5
33908aa43ac0aaabc06a58d51b1c2cca

SHA1
0a0d1ce3435abe2eed635481bac69e1999031291

SHA256
4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

SHA512
d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

Download Submit
\Windows\Installer\MSI8C8E.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
\Windows\Installer\MSI921A.tmp

Filesize
86KB

MD5
ff58cd07bf4913ef899efd2dfb112553

SHA1
f14c1681de808543071602f17a6299f8b4ba2ae8

SHA256
1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

SHA512
23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

Download Submit
memory/212-97-0x0000000000000000-mapping.dmp

Download
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/660-65-0x0000000000000000-mapping.dmp

Download
memory/1120-69-0x000007FEFC331000-0x000007FEFC333000-memory.dmp

Filesize
8KB

Download
memory/1120-66-0x0000000000000000-mapping.dmp

Download
memory/1252-57-0x0000000000000000-mapping.dmp

Download
memory/1264-70-0x0000000000000000-mapping.dmp

Download
memory/1264-86-0x0000000000000000-mapping.dmp

Download
memory/1392-84-0x0000000000000000-mapping.dmp

Download
memory/1492-64-0x0000000000000000-mapping.dmp

Download
memory/1600-76-0x0000000000000000-mapping.dmp

Download
memory/1764-67-0x0000000000000000-mapping.dmp

Download
memory/1948-85-0x0000000000000000-mapping.dmp

Download
memory/2032-87-0x0000000000000000-mapping.dmp

Download