7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8

Analysis

max time kernel
154s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
Size

21KB
MD5

a3ec315f74f4eb882253bb147a4ab410
SHA1

02bff27c982f24e7472df1c0284dfb1e46a2cc3c
SHA256

7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8
SHA512

a5349e7e2b12608114297bb35820c52198bb1631d8293483f410a0a24be6a14a8adde230814e6cf071e7d026fcd7595f470440c4eacc625b3722a2a4542fbcdb
SSDEEP

384:7rwgu4oJuTJj+XZ9Y9qkyUI07jn6qq9fUaIfqfxWkqxrF6ZlvH38R0VKRxxxxxb0:HaJU+Je9Lwjn9fU7q55AQDHr7V

Score

10^/10

evasion persistence ransomware upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2268 created 1812	2268	svchost.exe	79

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2176	bcdedit.exe
2516	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1500	wbadmin.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1812-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5032-135-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1812-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5032-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe\""	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\desktop.ini	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.2140f8bb.pri	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-150.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-64_altform-unplated.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-200.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.schema.mfl	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotdaddin.dll	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-400.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_2_Loud.m4a	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Dark.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInTray.gif	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-400_contrast-black.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-lightunplated_devicefamily-colorfulunplated.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-pl.xrm-ms	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchSmallTile.contrast-black_scale-200.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSmallTile.scale-200.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Match.ps1	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-96_altform-lightunplated.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ChakraBridge.winmd	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-100.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-256.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Dismiss.scale-80.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\import_google_contacts\googleImportNoResults.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-125.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-125.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-200.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-150.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\LargeTile.scale-200.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100_contrast-high.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_altform-unplated.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-100.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAMECONTROLPROXY.DLL	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Config\DefaultConfiguration.json	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\resources.pri	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCacheMini.scale-125.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-400.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1850_24x24x32.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\clrcompression.dll	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-125.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\FrameExtractorPage.xbf	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-150.png	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1928	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeTcbPrivilege	2268	svchost.exe
Token: SeTcbPrivilege	2268	svchost.exe
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe
Token: SeIncreaseQuotaPrivilege	856	WMIC.exe
Token: SeSecurityPrivilege	856	WMIC.exe
Token: SeTakeOwnershipPrivilege	856	WMIC.exe
Token: SeLoadDriverPrivilege	856	WMIC.exe
Token: SeSystemProfilePrivilege	856	WMIC.exe
Token: SeSystemtimePrivilege	856	WMIC.exe
Token: SeProfSingleProcessPrivilege	856	WMIC.exe
Token: SeIncBasePriorityPrivilege	856	WMIC.exe
Token: SeCreatePagefilePrivilege	856	WMIC.exe
Token: SeBackupPrivilege	856	WMIC.exe
Token: SeRestorePrivilege	856	WMIC.exe
Token: SeShutdownPrivilege	856	WMIC.exe
Token: SeDebugPrivilege	856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	856	WMIC.exe
Token: SeRemoteShutdownPrivilege	856	WMIC.exe
Token: SeUndockPrivilege	856	WMIC.exe
Token: SeManageVolumePrivilege	856	WMIC.exe
Token: 33	856	WMIC.exe
Token: 34	856	WMIC.exe
Token: 35	856	WMIC.exe
Token: 36	856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	856	WMIC.exe
Token: SeSecurityPrivilege	856	WMIC.exe
Token: SeTakeOwnershipPrivilege	856	WMIC.exe
Token: SeLoadDriverPrivilege	856	WMIC.exe
Token: SeSystemProfilePrivilege	856	WMIC.exe
Token: SeSystemtimePrivilege	856	WMIC.exe
Token: SeProfSingleProcessPrivilege	856	WMIC.exe
Token: SeIncBasePriorityPrivilege	856	WMIC.exe
Token: SeCreatePagefilePrivilege	856	WMIC.exe
Token: SeBackupPrivilege	856	WMIC.exe
Token: SeRestorePrivilege	856	WMIC.exe
Token: SeShutdownPrivilege	856	WMIC.exe
Token: SeDebugPrivilege	856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	856	WMIC.exe
Token: SeRemoteShutdownPrivilege	856	WMIC.exe
Token: SeUndockPrivilege	856	WMIC.exe
Token: SeManageVolumePrivilege	856	WMIC.exe
Token: 33	856	WMIC.exe
Token: 34	856	WMIC.exe
Token: 35	856	WMIC.exe
Token: 36	856	WMIC.exe
Token: SeBackupPrivilege	2924	wbengine.exe
Token: SeRestorePrivilege	2924	wbengine.exe
Token: SeSecurityPrivilege	2924	wbengine.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 5032	2268	svchost.exe	81
PID 2268 wrote to memory of 5032	2268	svchost.exe	81
PID 2268 wrote to memory of 5032	2268	svchost.exe	81
PID 2268 wrote to memory of 5032	2268	svchost.exe	81
PID 2268 wrote to memory of 5032	2268	svchost.exe	81
PID 2268 wrote to memory of 5032	2268	svchost.exe	81
PID 2268 wrote to memory of 5032	2268	svchost.exe	81
PID 1812 wrote to memory of 5012	1812	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe	82
PID 1812 wrote to memory of 5012	1812	7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe	82
PID 5012 wrote to memory of 1928	5012	cmd.exe	84
PID 5012 wrote to memory of 1928	5012	cmd.exe	84
PID 5012 wrote to memory of 856	5012	cmd.exe	87
PID 5012 wrote to memory of 856	5012	cmd.exe	87
PID 5012 wrote to memory of 2176	5012	cmd.exe	88
PID 5012 wrote to memory of 2176	5012	cmd.exe	88
PID 5012 wrote to memory of 2516	5012	cmd.exe	89
PID 5012 wrote to memory of 2516	5012	cmd.exe	89
PID 5012 wrote to memory of 1500	5012	cmd.exe	90
PID 5012 wrote to memory of 1500	5012	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
"C:\Users\Admin\AppData\Local\Temp\7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe
  "C:\Users\Admin\AppData\Local\Temp\7eeb07b3e012c8722c9712ca1b82bab3ef74cdf928f47536733d7a5946ae43b8.exe" n1812
  2⤵
  PID:5032
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1928
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2176
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2516
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini

Filesize
356B

MD5
8d0758a1e8139ecd68671576b3c1a109

SHA1
c244b4b17773636f410038addbc3bf6d2d78c4f6

SHA256
098a283933e512d9f065e9ef25eff4c62b18ec304cb151e89338e3bb7bdcb9cd

SHA512
77dca004ae721dbca94d80f891b33b97ae1f2e059bf8e4829b8e454cd23ce49f00efe990b726e58baadb98ed10c09dfb86f4fb8e14b6180c70ef0d1105222fca

Download Submit
memory/1812-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5032-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5032-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads