phobos | bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732

General

Target

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
Size

56KB
MD5

f7352e7f837f64fb08008a0edcfe5261
SHA1

d8df24afe3e378017660648d88e4fd73e2c4e16b
SHA256

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732
SHA512

1bd3d41f564e1f3c44c02874df8e94e261a169b58e00a2348f3fd9ce9d3d5df44f3df39713343d02c69ebc597e041280dccb352244d8d3596301e007eec1d84e
SSDEEP

1536:gNeRBl5PT/rx1mzwRMSTdLpJ5qE4ROWUur:gQRrmzwR5Jk/Uur

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1284 created 4744 1284 svchost.exe bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4560 bcdedit.exe
896 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3804 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

1360 netsh.exe
3324 netsh.exe

description	pid	process	target process
PID 1284 created 4744	1284	svchost.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

pid	process
4560	bcdedit.exe
896	bcdedit.exe

pid	process
3804	wbadmin.exe

pid	process
1360	netsh.exe
3324	netsh.exe

Drops startup file 1 IoCs

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732 = "C:\\Users\\Admin\\AppData\\Local\\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe"	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732 = "C:\\Users\\Admin\\AppData\\Local\\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe"	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Drops desktop.ini file(s) 23 IoCs

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Drops file in Program Files directory 64 IoCs

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\resources.pri	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-lightunplated.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-black_targetsize-48.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-200.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-125.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\identity_helper.Sparse.Stable.msix.DATA	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-32.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-150.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-100.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ar.pak.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-48.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-lightunplated.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\AddStroke_Illustration.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-100.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-129.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-64_altform-unplated_contrast-black.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-execution.jar	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Numerics.dll	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\LargeTile.scale-125.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-72_altform-unplated.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\exportpdfupsell-app-tool-view.js	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\glib-lite.dll.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-64.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-32_altform-unplated.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-unplated_contrast-white.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaTypewriterRegular.ttf.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\vlc.mo	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Diagnostics.dll.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-96.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\remove.svg	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Context.ps1	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-24_altform-unplated_contrast-white.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\simplexml.luac.id[A6D0F982-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_filter_18.svg	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

800 vssadmin.exe

pid	process
800	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

pid	process
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

svchost.exebc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeTcbPrivilege	1284	svchost.exe
Token: SeTcbPrivilege	1284	svchost.exe
Token: SeDebugPrivilege	4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
Token: SeBackupPrivilege	1636	vssvc.exe
Token: SeRestorePrivilege	1636	vssvc.exe
Token: SeAuditPrivilege	1636	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1348	WMIC.exe
Token: SeSecurityPrivilege	1348	WMIC.exe
Token: SeTakeOwnershipPrivilege	1348	WMIC.exe
Token: SeLoadDriverPrivilege	1348	WMIC.exe
Token: SeSystemProfilePrivilege	1348	WMIC.exe
Token: SeSystemtimePrivilege	1348	WMIC.exe
Token: SeProfSingleProcessPrivilege	1348	WMIC.exe
Token: SeIncBasePriorityPrivilege	1348	WMIC.exe
Token: SeCreatePagefilePrivilege	1348	WMIC.exe
Token: SeBackupPrivilege	1348	WMIC.exe
Token: SeRestorePrivilege	1348	WMIC.exe
Token: SeShutdownPrivilege	1348	WMIC.exe
Token: SeDebugPrivilege	1348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1348	WMIC.exe
Token: SeRemoteShutdownPrivilege	1348	WMIC.exe
Token: SeUndockPrivilege	1348	WMIC.exe
Token: SeManageVolumePrivilege	1348	WMIC.exe
Token: 33	1348	WMIC.exe
Token: 34	1348	WMIC.exe
Token: 35	1348	WMIC.exe
Token: 36	1348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1348	WMIC.exe
Token: SeSecurityPrivilege	1348	WMIC.exe
Token: SeTakeOwnershipPrivilege	1348	WMIC.exe
Token: SeLoadDriverPrivilege	1348	WMIC.exe
Token: SeSystemProfilePrivilege	1348	WMIC.exe
Token: SeSystemtimePrivilege	1348	WMIC.exe
Token: SeProfSingleProcessPrivilege	1348	WMIC.exe
Token: SeIncBasePriorityPrivilege	1348	WMIC.exe
Token: SeCreatePagefilePrivilege	1348	WMIC.exe
Token: SeBackupPrivilege	1348	WMIC.exe
Token: SeRestorePrivilege	1348	WMIC.exe
Token: SeShutdownPrivilege	1348	WMIC.exe
Token: SeDebugPrivilege	1348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1348	WMIC.exe
Token: SeRemoteShutdownPrivilege	1348	WMIC.exe
Token: SeUndockPrivilege	1348	WMIC.exe
Token: SeManageVolumePrivilege	1348	WMIC.exe
Token: 33	1348	WMIC.exe
Token: 34	1348	WMIC.exe
Token: 35	1348	WMIC.exe
Token: 36	1348	WMIC.exe
Token: SeBackupPrivilege	3588	wbengine.exe
Token: SeRestorePrivilege	3588	wbengine.exe
Token: SeSecurityPrivilege	3588	wbengine.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

svchost.exebc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.execmd.execmd.exe

description	pid	process	target process
PID 1284 wrote to memory of 3996	1284	svchost.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
PID 1284 wrote to memory of 3996	1284	svchost.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
PID 1284 wrote to memory of 3996	1284	svchost.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
PID 4744 wrote to memory of 220	4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 4744 wrote to memory of 220	4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 4744 wrote to memory of 224	4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 4744 wrote to memory of 224	4744	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 224 wrote to memory of 800	224	cmd.exe	vssadmin.exe
PID 224 wrote to memory of 800	224	cmd.exe	vssadmin.exe
PID 220 wrote to memory of 1360	220	cmd.exe	netsh.exe
PID 220 wrote to memory of 1360	220	cmd.exe	netsh.exe
PID 220 wrote to memory of 3324	220	cmd.exe	netsh.exe
PID 220 wrote to memory of 3324	220	cmd.exe	netsh.exe
PID 224 wrote to memory of 1348	224	cmd.exe	WMIC.exe
PID 224 wrote to memory of 1348	224	cmd.exe	WMIC.exe
PID 224 wrote to memory of 4560	224	cmd.exe	bcdedit.exe
PID 224 wrote to memory of 4560	224	cmd.exe	bcdedit.exe
PID 224 wrote to memory of 896	224	cmd.exe	bcdedit.exe
PID 224 wrote to memory of 896	224	cmd.exe	bcdedit.exe
PID 224 wrote to memory of 3804	224	cmd.exe	wbadmin.exe
PID 224 wrote to memory of 3804	224	cmd.exe	wbadmin.exe

C:\Users\Admin\AppData\Local\Temp\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
"C:\Users\Admin\AppData\Local\Temp\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
  "C:\Users\Admin\AppData\Local\Temp\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe"
  2⤵
  PID:3996
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:800
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4560
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:896
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3804
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1360
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:3324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284