phobos | b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e

General

Target

b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
Size

138KB
MD5

89ecb17e4dd618967b8d31ce34052c2b
SHA1

1c2c6d8809bb77ead595fa41faac6b3861df18aa
SHA256

b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e
SHA512

7fa8c7017d8f643943046487ddeff50328db39cd79c6d967e47e788ff0dadc284e34864b4c99bd5b970237e1517e5fb5da4c474cb60f37dfd0c36bcd19855d4c
SSDEEP

3072:dQRrmzwR5JrGJNnVUQRrmzwR5JEQRrmzwR5JS:dQxR5JrGRUQxR5JEQxR5JS

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2512 created 4444 2512 svchost.exe b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4288 bcdedit.exe
4808 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4828 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1160 netsh.exe
4680 netsh.exe

description	pid	process	target process
PID 2512 created 4444	2512	svchost.exe	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

pid	process
4288	bcdedit.exe
4808	bcdedit.exe

pid	process
4828	wbadmin.exe

pid	process
1160	netsh.exe
4680	netsh.exe

Drops startup file 1 IoCs

Processes:

b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e = "C:\\Users\\Admin\\AppData\\Local\\b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe"	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e = "C:\\Users\\Admin\\AppData\\Local\\b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe"	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

Drops file in Program Files directory 64 IoCs

Processes:

b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\hu.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\7zG.exe.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\AssertPush.emf.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\AddLimit.vbs.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.id[031A454E-3108].[[email protected]].eking	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2104 vssadmin.exe

pid	process
2104	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

pid	process
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

svchost.exeb0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeTcbPrivilege	2512	svchost.exe
Token: SeTcbPrivilege	2512	svchost.exe
Token: SeDebugPrivilege	4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
Token: SeBackupPrivilege	4416	vssvc.exe
Token: SeRestorePrivilege	4416	vssvc.exe
Token: SeAuditPrivilege	4416	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3292	WMIC.exe
Token: SeSecurityPrivilege	3292	WMIC.exe
Token: SeTakeOwnershipPrivilege	3292	WMIC.exe
Token: SeLoadDriverPrivilege	3292	WMIC.exe
Token: SeSystemProfilePrivilege	3292	WMIC.exe
Token: SeSystemtimePrivilege	3292	WMIC.exe
Token: SeProfSingleProcessPrivilege	3292	WMIC.exe
Token: SeIncBasePriorityPrivilege	3292	WMIC.exe
Token: SeCreatePagefilePrivilege	3292	WMIC.exe
Token: SeBackupPrivilege	3292	WMIC.exe
Token: SeRestorePrivilege	3292	WMIC.exe
Token: SeShutdownPrivilege	3292	WMIC.exe
Token: SeDebugPrivilege	3292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3292	WMIC.exe
Token: SeRemoteShutdownPrivilege	3292	WMIC.exe
Token: SeUndockPrivilege	3292	WMIC.exe
Token: SeManageVolumePrivilege	3292	WMIC.exe
Token: 33	3292	WMIC.exe
Token: 34	3292	WMIC.exe
Token: 35	3292	WMIC.exe
Token: 36	3292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3292	WMIC.exe
Token: SeSecurityPrivilege	3292	WMIC.exe
Token: SeTakeOwnershipPrivilege	3292	WMIC.exe
Token: SeLoadDriverPrivilege	3292	WMIC.exe
Token: SeSystemProfilePrivilege	3292	WMIC.exe
Token: SeSystemtimePrivilege	3292	WMIC.exe
Token: SeProfSingleProcessPrivilege	3292	WMIC.exe
Token: SeIncBasePriorityPrivilege	3292	WMIC.exe
Token: SeCreatePagefilePrivilege	3292	WMIC.exe
Token: SeBackupPrivilege	3292	WMIC.exe
Token: SeRestorePrivilege	3292	WMIC.exe
Token: SeShutdownPrivilege	3292	WMIC.exe
Token: SeDebugPrivilege	3292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3292	WMIC.exe
Token: SeRemoteShutdownPrivilege	3292	WMIC.exe
Token: SeUndockPrivilege	3292	WMIC.exe
Token: SeManageVolumePrivilege	3292	WMIC.exe
Token: 33	3292	WMIC.exe
Token: 34	3292	WMIC.exe
Token: 35	3292	WMIC.exe
Token: 36	3292	WMIC.exe
Token: SeBackupPrivilege	3876	wbengine.exe
Token: SeRestorePrivilege	3876	wbengine.exe
Token: SeSecurityPrivilege	3876	wbengine.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

svchost.exeb0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.execmd.execmd.exe

description	pid	process	target process
PID 2512 wrote to memory of 4800	2512	svchost.exe	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
PID 2512 wrote to memory of 4800	2512	svchost.exe	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
PID 2512 wrote to memory of 4800	2512	svchost.exe	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
PID 4444 wrote to memory of 3588	4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe	cmd.exe
PID 4444 wrote to memory of 3588	4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe	cmd.exe
PID 4444 wrote to memory of 5008	4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe	cmd.exe
PID 4444 wrote to memory of 5008	4444	b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe	cmd.exe
PID 5008 wrote to memory of 1160	5008	cmd.exe	netsh.exe
PID 5008 wrote to memory of 1160	5008	cmd.exe	netsh.exe
PID 3588 wrote to memory of 2104	3588	cmd.exe	vssadmin.exe
PID 3588 wrote to memory of 2104	3588	cmd.exe	vssadmin.exe
PID 3588 wrote to memory of 3292	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 3292	3588	cmd.exe	WMIC.exe
PID 3588 wrote to memory of 4288	3588	cmd.exe	bcdedit.exe
PID 3588 wrote to memory of 4288	3588	cmd.exe	bcdedit.exe
PID 3588 wrote to memory of 4808	3588	cmd.exe	bcdedit.exe
PID 3588 wrote to memory of 4808	3588	cmd.exe	bcdedit.exe
PID 3588 wrote to memory of 4828	3588	cmd.exe	wbadmin.exe
PID 3588 wrote to memory of 4828	3588	cmd.exe	wbadmin.exe
PID 5008 wrote to memory of 4680	5008	cmd.exe	netsh.exe
PID 5008 wrote to memory of 4680	5008	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
"C:\Users\Admin\AppData\Local\Temp\b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe
  "C:\Users\Admin\AppData\Local\Temp\b0e2a8c3c5d57571c7892940ab531925a2b0451964afd3035f1293062ca6d64e.exe"
  2⤵
  PID:4800
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1160
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:4680
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4288
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4808
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512