phobos | 9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d

General

Target

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
Size

56KB
MD5

8cffb643c8773ff71c8879fe20074f71
SHA1

4ed2f6d803b03262becdc6045f04aca8a4fd5c4c
SHA256

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d
SHA512

c3e8913c95f527e00f41488fa48285e297af014d01ef2a8d2f9fccdf7f7ce7c23bfcc6cad9128892fb80d8f6181e32427b9dd6bf247638788333e1dca9c01769
SSDEEP

1536:gNeRBl5PT/rx1mzwRMSTdLpJ0ifl+/wA1rK:gQRrmzwR5JkwAE

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security issue with your computer. If you want to restore them, write to us by email [email protected] If you have not received a response within 24 hours, write to us at Jabber: [email protected] Write this ID in the title of your message 661B4385-3327 You will have to pay for decryption in bitcoins. The price depends on how quickly you write to us. After payment, we will send you a tool that will decrypt all your files. Free decryption as guarantee We can decrypt 1 small, not important file as proof of decryption. 1 megabyte of an unarchived file. We never decrypt important files for testing, such as XLS, databases and other important files. How to obtain Bitcoins Write to us and we will instruct you how to buy Bitcoin Attention! If you ask for help from third parties, know that they raise the price (they add their own price from ours). Contact us for help and we will help you buy Bitcoin, it's not difficult. Our experts will fully tell you how to buy bitcoin. Jabber client installation instructions: Download the jabber (Pidgin) client from https://pidgin.im/download/windows/ After installation, the Pidgin client will prompt you to create a new account. Click "Add" In the "Protocol" field, select XMPP In "Username" - come up with any name In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im Create a password At the bottom, put a tick "Create account" Click add If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data: User password You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, this may lead to irreversible data loss. No one else will be able to return your files except us!

Emails

[email protected]

URLs

https://pidgin.im/download/windows/

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3820 created 5020 3820 svchost.exe 9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

360 bcdedit.exe
1476 bcdedit.exe
272 bcdedit.exe
296 bcdedit.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1560 wbadmin.exe
2120 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4836 netsh.exe
1232 netsh.exe

description	pid	process	target process
PID 3820 created 5020	3820	svchost.exe	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

pid	process
360	bcdedit.exe
1476	bcdedit.exe
272	bcdedit.exe
296	bcdedit.exe

pid	process
1560	wbadmin.exe
2120	wbadmin.exe

pid	process
4836	netsh.exe
1232	netsh.exe

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SearchMount.tiff	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

Drops startup file 3 IoCs

Processes:

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d = "C:\\Users\\Admin\\AppData\\Local\\9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe"	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d = "C:\\Users\\Admin\\AppData\\Local\\9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe"	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Public\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

Drops file in Program Files directory 64 IoCs

Processes:

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\sysinfo	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\ui-strings.js	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-96_altform-unplated.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\ui-strings.js.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-pl.xrm-ms.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-125.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedge_200_percent.pak.DATA.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OCLTINT.DLL	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-125.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\187.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\27.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-125_contrast-white.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-40_contrast-black.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-200_contrast-black.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\WindowsAccessBridge-64.dll	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-30_altform-unplated.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.strings.psd1	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\management.dll	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\ext\access-bridge-64.jar.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordcnvr.dll	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_BadgeLogo.scale-100.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_File_Transfer_Complete.m4a	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_es_135x40.svg.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\ui-strings.js.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-focus_32.svg.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\zipfs.jar	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEX.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phones-small.png	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons.png.id[661B4385-3327].[[email protected]].Devos	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4764 vssadmin.exe
2316 vssadmin.exe

pid	process
4764	vssadmin.exe
2316	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

pid	process
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exe9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeTcbPrivilege	3820	svchost.exe
Token: SeTcbPrivilege	3820	svchost.exe
Token: SeDebugPrivilege	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
Token: SeBackupPrivilege	4812	vssvc.exe
Token: SeRestorePrivilege	4812	vssvc.exe
Token: SeAuditPrivilege	4812	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe
Token: SeSecurityPrivilege	3944	WMIC.exe
Token: SeTakeOwnershipPrivilege	3944	WMIC.exe
Token: SeLoadDriverPrivilege	3944	WMIC.exe
Token: SeSystemProfilePrivilege	3944	WMIC.exe
Token: SeSystemtimePrivilege	3944	WMIC.exe
Token: SeProfSingleProcessPrivilege	3944	WMIC.exe
Token: SeIncBasePriorityPrivilege	3944	WMIC.exe
Token: SeCreatePagefilePrivilege	3944	WMIC.exe
Token: SeBackupPrivilege	3944	WMIC.exe
Token: SeRestorePrivilege	3944	WMIC.exe
Token: SeShutdownPrivilege	3944	WMIC.exe
Token: SeDebugPrivilege	3944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3944	WMIC.exe
Token: SeRemoteShutdownPrivilege	3944	WMIC.exe
Token: SeUndockPrivilege	3944	WMIC.exe
Token: SeManageVolumePrivilege	3944	WMIC.exe
Token: 33	3944	WMIC.exe
Token: 34	3944	WMIC.exe
Token: 35	3944	WMIC.exe
Token: 36	3944	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3944	WMIC.exe
Token: SeSecurityPrivilege	3944	WMIC.exe
Token: SeTakeOwnershipPrivilege	3944	WMIC.exe
Token: SeLoadDriverPrivilege	3944	WMIC.exe
Token: SeSystemProfilePrivilege	3944	WMIC.exe
Token: SeSystemtimePrivilege	3944	WMIC.exe
Token: SeProfSingleProcessPrivilege	3944	WMIC.exe
Token: SeIncBasePriorityPrivilege	3944	WMIC.exe
Token: SeCreatePagefilePrivilege	3944	WMIC.exe
Token: SeBackupPrivilege	3944	WMIC.exe
Token: SeRestorePrivilege	3944	WMIC.exe
Token: SeShutdownPrivilege	3944	WMIC.exe
Token: SeDebugPrivilege	3944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3944	WMIC.exe
Token: SeRemoteShutdownPrivilege	3944	WMIC.exe
Token: SeUndockPrivilege	3944	WMIC.exe
Token: SeManageVolumePrivilege	3944	WMIC.exe
Token: 33	3944	WMIC.exe
Token: 34	3944	WMIC.exe
Token: 35	3944	WMIC.exe
Token: 36	3944	WMIC.exe
Token: SeBackupPrivilege	1312	wbengine.exe
Token: SeRestorePrivilege	1312	wbengine.exe
Token: SeSecurityPrivilege	1312	wbengine.exe
Token: SeIncreaseQuotaPrivilege	5088	WMIC.exe
Token: SeSecurityPrivilege	5088	WMIC.exe
Token: SeTakeOwnershipPrivilege	5088	WMIC.exe
Token: SeLoadDriverPrivilege	5088	WMIC.exe
Token: SeSystemProfilePrivilege	5088	WMIC.exe
Token: SeSystemtimePrivilege	5088	WMIC.exe
Token: SeProfSingleProcessPrivilege	5088	WMIC.exe
Token: SeIncBasePriorityPrivilege	5088	WMIC.exe
Token: SeCreatePagefilePrivilege	5088	WMIC.exe
Token: SeBackupPrivilege	5088	WMIC.exe
Token: SeRestorePrivilege	5088	WMIC.exe
Token: SeShutdownPrivilege	5088	WMIC.exe
Token: SeDebugPrivilege	5088	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

svchost.exe9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3820 wrote to memory of 4496	3820	svchost.exe	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
PID 3820 wrote to memory of 4496	3820	svchost.exe	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
PID 3820 wrote to memory of 4496	3820	svchost.exe	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
PID 5020 wrote to memory of 3048	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	cmd.exe
PID 5020 wrote to memory of 3048	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	cmd.exe
PID 5020 wrote to memory of 5016	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	cmd.exe
PID 5020 wrote to memory of 5016	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	cmd.exe
PID 5016 wrote to memory of 4836	5016	cmd.exe	netsh.exe
PID 5016 wrote to memory of 4836	5016	cmd.exe	netsh.exe
PID 3048 wrote to memory of 4764	3048	cmd.exe	vssadmin.exe
PID 3048 wrote to memory of 4764	3048	cmd.exe	vssadmin.exe
PID 5016 wrote to memory of 1232	5016	cmd.exe	netsh.exe
PID 5016 wrote to memory of 1232	5016	cmd.exe	netsh.exe
PID 3048 wrote to memory of 3944	3048	cmd.exe	WMIC.exe
PID 3048 wrote to memory of 3944	3048	cmd.exe	WMIC.exe
PID 3048 wrote to memory of 360	3048	cmd.exe	bcdedit.exe
PID 3048 wrote to memory of 360	3048	cmd.exe	bcdedit.exe
PID 3048 wrote to memory of 1476	3048	cmd.exe	bcdedit.exe
PID 3048 wrote to memory of 1476	3048	cmd.exe	bcdedit.exe
PID 3048 wrote to memory of 1560	3048	cmd.exe	wbadmin.exe
PID 3048 wrote to memory of 1560	3048	cmd.exe	wbadmin.exe
PID 5020 wrote to memory of 3420	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	mshta.exe
PID 5020 wrote to memory of 3420	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	mshta.exe
PID 5020 wrote to memory of 3420	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	mshta.exe
PID 5020 wrote to memory of 2948	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	mshta.exe
PID 5020 wrote to memory of 2948	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	mshta.exe
PID 5020 wrote to memory of 2948	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	mshta.exe
PID 5020 wrote to memory of 1388	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	mshta.exe
PID 5020 wrote to memory of 1388	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	mshta.exe
PID 5020 wrote to memory of 1388	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	mshta.exe
PID 5020 wrote to memory of 5056	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	cmd.exe
PID 5020 wrote to memory of 5056	5020	9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe	cmd.exe
PID 5056 wrote to memory of 2316	5056	cmd.exe	vssadmin.exe
PID 5056 wrote to memory of 2316	5056	cmd.exe	vssadmin.exe
PID 5056 wrote to memory of 5088	5056	cmd.exe	WMIC.exe
PID 5056 wrote to memory of 5088	5056	cmd.exe	WMIC.exe
PID 5056 wrote to memory of 272	5056	cmd.exe	bcdedit.exe
PID 5056 wrote to memory of 272	5056	cmd.exe	bcdedit.exe
PID 5056 wrote to memory of 296	5056	cmd.exe	bcdedit.exe
PID 5056 wrote to memory of 296	5056	cmd.exe	bcdedit.exe
PID 5056 wrote to memory of 2120	5056	cmd.exe	wbadmin.exe
PID 5056 wrote to memory of 2120	5056	cmd.exe	wbadmin.exe

C:\Users\Admin\AppData\Local\Temp\9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
"C:\Users\Admin\AppData\Local\Temp\9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Users\Admin\AppData\Local\Temp\9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe
  "C:\Users\Admin\AppData\Local\Temp\9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d.exe"
  2⤵
  PID:4496
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4836
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1232
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4764
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3944
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:360
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1476
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:1560
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:3420
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:2948
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:1388
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5088
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:272
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:296
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\info.hta

Filesize
6KB

MD5
05cc8cd94ff2d1646ec4deb6e27b773b

SHA1
669a4a5db0be1084c606aca791c467e3d18bcc58

SHA256
0f6e600e9f48d12e729b7e8c1a8afb402eff85f6125b548f353ec123eb4f0c82

SHA512
68524ea2b344692571d9939f4a844d7118b82ce5316abf457185a2689bc829410400da6a05fb5c0bbff84684b8d61368d44c5bd1e6956bd79f2ce46d531254bb

Download Submit
C:\info.hta

Filesize
6KB

MD5
05cc8cd94ff2d1646ec4deb6e27b773b

SHA1
669a4a5db0be1084c606aca791c467e3d18bcc58

SHA256
0f6e600e9f48d12e729b7e8c1a8afb402eff85f6125b548f353ec123eb4f0c82

SHA512
68524ea2b344692571d9939f4a844d7118b82ce5316abf457185a2689bc829410400da6a05fb5c0bbff84684b8d61368d44c5bd1e6956bd79f2ce46d531254bb

Download Submit
C:\users\public\desktop\info.hta

Filesize
6KB

MD5
05cc8cd94ff2d1646ec4deb6e27b773b

SHA1
669a4a5db0be1084c606aca791c467e3d18bcc58

SHA256
0f6e600e9f48d12e729b7e8c1a8afb402eff85f6125b548f353ec123eb4f0c82

SHA512
68524ea2b344692571d9939f4a844d7118b82ce5316abf457185a2689bc829410400da6a05fb5c0bbff84684b8d61368d44c5bd1e6956bd79f2ce46d531254bb

Download Submit
memory/272-151-0x0000000000000000-mapping.dmp

Download
memory/296-152-0x0000000000000000-mapping.dmp

Download
memory/360-139-0x0000000000000000-mapping.dmp

Download
memory/1232-137-0x0000000000000000-mapping.dmp

Download
memory/1388-144-0x0000000000000000-mapping.dmp

Download
memory/1476-140-0x0000000000000000-mapping.dmp

Download
memory/1560-141-0x0000000000000000-mapping.dmp

Download
memory/2120-153-0x0000000000000000-mapping.dmp

Download
memory/2316-146-0x0000000000000000-mapping.dmp

Download
memory/2948-143-0x0000000000000000-mapping.dmp

Download
memory/3048-133-0x0000000000000000-mapping.dmp

Download
memory/3420-142-0x0000000000000000-mapping.dmp

Download
memory/3944-138-0x0000000000000000-mapping.dmp

Download
memory/4496-132-0x0000000000000000-mapping.dmp

Download
memory/4764-136-0x0000000000000000-mapping.dmp

Download
memory/4836-135-0x0000000000000000-mapping.dmp

Download
memory/5016-134-0x0000000000000000-mapping.dmp

Download
memory/5056-145-0x0000000000000000-mapping.dmp

Download
memory/5088-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads