phobos | a07410f5b618fd091c0ad7db523b3c2f365bc5a762303cf3ae9280b985196ced

General

Target

de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
Size

611KB
MD5

dfa8f311db9cb2886f75989267bbd47f
SHA1

3c476565086765f896f4bf99b2900c0c1a427384
SHA256

de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c
SHA512

bb935e031e25f7ff4ef54d3b788c44d692449cecc3354628b27efa534840b202c721a6c93a4ff586fbdf222ab4905f74245588974a228c227c24787db145bcc4
SSDEEP

12288:h1GVyBfUDi9EUb4kAH/w0mpKMgxxcLHgh:uVy1UDCb3sFxFh

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4852 created 4600 4852 svchost.exe de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3140 bcdedit.exe
1092 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1316 wbadmin.exe

description	pid	process	target process
PID 4852 created 4600	4852	svchost.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

pid	process
3140	bcdedit.exe
1092	bcdedit.exe

pid	process
1316	wbadmin.exe

Drops startup file 1 IoCs

Processes:

de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c = "C:\\Users\\Admin\\AppData\\Local\\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe"	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c = "C:\\Users\\Admin\\AppData\\Local\\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe"	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\desktop.ini	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exede43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

description	pid	process	target process
PID 2532 set thread context of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 set thread context of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

Drops file in Program Files directory 64 IoCs

Processes:

de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\management.dll.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\eventlog_provider.dll.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface_3.10.1.v20140813-1009.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ar.pak.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ja_5.5.0.165303.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\v8_context_snapshot.bin.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\jvm.dll.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_ko.properties.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-explorer.xml	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\et.pak.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgePackages.h	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\zh-CN.pak.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.h.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterBold.ttf	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.id[7B246E68-2275].[[email protected]].help	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4252 vssadmin.exe

pid	process
4252	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

pid	process
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

svchost.exede43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exevssvc.exeWMIC.exewbengine.exede43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

description	pid	process
Token: SeTcbPrivilege	4852	svchost.exe
Token: SeTcbPrivilege	4852	svchost.exe
Token: SeDebugPrivilege	4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
Token: SeBackupPrivilege	4232	vssvc.exe
Token: SeRestorePrivilege	4232	vssvc.exe
Token: SeAuditPrivilege	4232	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5068	WMIC.exe
Token: SeSecurityPrivilege	5068	WMIC.exe
Token: SeTakeOwnershipPrivilege	5068	WMIC.exe
Token: SeLoadDriverPrivilege	5068	WMIC.exe
Token: SeSystemProfilePrivilege	5068	WMIC.exe
Token: SeSystemtimePrivilege	5068	WMIC.exe
Token: SeProfSingleProcessPrivilege	5068	WMIC.exe
Token: SeIncBasePriorityPrivilege	5068	WMIC.exe
Token: SeCreatePagefilePrivilege	5068	WMIC.exe
Token: SeBackupPrivilege	5068	WMIC.exe
Token: SeRestorePrivilege	5068	WMIC.exe
Token: SeShutdownPrivilege	5068	WMIC.exe
Token: SeDebugPrivilege	5068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5068	WMIC.exe
Token: SeRemoteShutdownPrivilege	5068	WMIC.exe
Token: SeUndockPrivilege	5068	WMIC.exe
Token: SeManageVolumePrivilege	5068	WMIC.exe
Token: 33	5068	WMIC.exe
Token: 34	5068	WMIC.exe
Token: 35	5068	WMIC.exe
Token: 36	5068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5068	WMIC.exe
Token: SeSecurityPrivilege	5068	WMIC.exe
Token: SeTakeOwnershipPrivilege	5068	WMIC.exe
Token: SeLoadDriverPrivilege	5068	WMIC.exe
Token: SeSystemProfilePrivilege	5068	WMIC.exe
Token: SeSystemtimePrivilege	5068	WMIC.exe
Token: SeProfSingleProcessPrivilege	5068	WMIC.exe
Token: SeIncBasePriorityPrivilege	5068	WMIC.exe
Token: SeCreatePagefilePrivilege	5068	WMIC.exe
Token: SeBackupPrivilege	5068	WMIC.exe
Token: SeRestorePrivilege	5068	WMIC.exe
Token: SeShutdownPrivilege	5068	WMIC.exe
Token: SeDebugPrivilege	5068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5068	WMIC.exe
Token: SeRemoteShutdownPrivilege	5068	WMIC.exe
Token: SeUndockPrivilege	5068	WMIC.exe
Token: SeManageVolumePrivilege	5068	WMIC.exe
Token: 33	5068	WMIC.exe
Token: 34	5068	WMIC.exe
Token: 35	5068	WMIC.exe
Token: 36	5068	WMIC.exe
Token: SeBackupPrivilege	3836	wbengine.exe
Token: SeRestorePrivilege	3836	wbengine.exe
Token: SeSecurityPrivilege	3836	wbengine.exe
Token: SeDebugPrivilege	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exesvchost.exede43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.execmd.exede43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

C:\Users\Admin\AppData\Local\Temp\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
"C:\Users\Admin\AppData\Local\Temp\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
  "{path}"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
    "C:\Users\Admin\AppData\Local\Temp\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
      "{path}"
      4⤵
      PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
      "{path}"
      4⤵
      PID:3328
  - - C:\Users\Admin\AppData\Local\Temp\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
      "{path}"
      4⤵
      PID:4500
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5068
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3140
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1092
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1568

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1092-149-0x0000000000000000-mapping.dmp

Download
memory/1316-150-0x0000000000000000-mapping.dmp

Download
memory/1348-141-0x0000000000000000-mapping.dmp

Download
memory/1428-144-0x0000000000000000-mapping.dmp

Download
memory/2532-136-0x0000000007F30000-0x0000000007FCC000-memory.dmp

Filesize
624KB

Download
memory/2532-132-0x0000000000B70000-0x0000000000C0E000-memory.dmp

Filesize
632KB

Download
memory/2532-135-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/2532-134-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/2532-133-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/3140-148-0x0000000000000000-mapping.dmp

Download
memory/3328-152-0x0000000000000000-mapping.dmp

Download
memory/4252-145-0x0000000000000000-mapping.dmp

Download
memory/4500-157-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4500-153-0x0000000000000000-mapping.dmp

Download
memory/4512-151-0x0000000000000000-mapping.dmp

Download
memory/4600-137-0x0000000000000000-mapping.dmp

Download
memory/4600-147-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4600-143-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4600-140-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4600-138-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/5068-146-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 2532 wrote to memory of 4600	2532	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 4852 wrote to memory of 1348	4852	svchost.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 4852 wrote to memory of 1348	4852	svchost.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 4852 wrote to memory of 1348	4852	svchost.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 4600 wrote to memory of 1428	4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	cmd.exe
PID 4600 wrote to memory of 1428	4600	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	cmd.exe
PID 1428 wrote to memory of 4252	1428	cmd.exe	vssadmin.exe
PID 1428 wrote to memory of 4252	1428	cmd.exe	vssadmin.exe
PID 1428 wrote to memory of 5068	1428	cmd.exe	WMIC.exe
PID 1428 wrote to memory of 5068	1428	cmd.exe	WMIC.exe
PID 1428 wrote to memory of 3140	1428	cmd.exe	bcdedit.exe
PID 1428 wrote to memory of 3140	1428	cmd.exe	bcdedit.exe
PID 1428 wrote to memory of 1092	1428	cmd.exe	bcdedit.exe
PID 1428 wrote to memory of 1092	1428	cmd.exe	bcdedit.exe
PID 1428 wrote to memory of 1316	1428	cmd.exe	wbadmin.exe
PID 1428 wrote to memory of 1316	1428	cmd.exe	wbadmin.exe
PID 1348 wrote to memory of 4512	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4512	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4512	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 3328	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 3328	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 3328	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe
PID 1348 wrote to memory of 4500	1348	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe	de43a2031013e66780820a2fa5fb9871a21c97be4a42e65cd1a6efffb222c95c.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads