Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
18-01-2023 08:49
Static task
static1
Behavioral task
behavioral1
Sample
11.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
11.exe
Resource
win10-20220901-en
General
-
Target
11.exe
-
Size
55KB
-
MD5
d5b1a26c5c3b592c7008f440a36be0c3
-
SHA1
ac56976f6a5c9da52651d7a220a7a73e0d83b08a
-
SHA256
818f1f91d4975dc988b1fc8d0380ce45f414623bd52b045a3f36241c859c90fc
-
SHA512
2499b52bb1241ed091fc12404cf63446322015999b7d10afc8fd19d56ae8b58b73bad76723a4832b227d624e09271605135e19b17a75c7f003f91a4d7deb60ee
-
SSDEEP
1536:UNeRBl5PT/rx1mzwRMSTdLpJg0BxI0qvGY:UQRrmzwR5JLI0l
Malware Config
Extracted
C:\users\public\desktop\info.hta
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 5044 bcdedit.exe 4320 bcdedit.exe 2828 bcdedit.exe 4764 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 4920 wbadmin.exe 1816 wbadmin.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
11.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\BlockRead.tiff 11.exe File opened for modification C:\Users\Admin\Pictures\CopyMount.tiff 11.exe -
Drops startup file 3 IoCs
Processes:
11.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 11.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[70578ED8-2822].[[email protected]].eight 11.exe File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\11.exe 11.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
11.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11 = "C:\\Users\\Admin\\AppData\\Local\\11.exe" 11.exe Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\11 = "C:\\Users\\Admin\\AppData\\Local\\11.exe" 11.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
11.exedescription ioc process File opened for modification C:\Users\Admin\OneDrive\desktop.ini 11.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 11.exe File opened for modification C:\Users\Public\Music\desktop.ini 11.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 11.exe File opened for modification C:\Users\Public\Documents\desktop.ini 11.exe File opened for modification C:\Users\Public\Videos\desktop.ini 11.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 11.exe File opened for modification C:\Users\Admin\Music\desktop.ini 11.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 11.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 11.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 11.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 11.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 11.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 11.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 11.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 11.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 11.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 11.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2368682536-4045190062-1465778271-1000\desktop.ini 11.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 11.exe File opened for modification C:\Users\Public\desktop.ini 11.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 11.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 11.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 11.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 11.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 11.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 11.exe File opened for modification C:\Program Files (x86)\desktop.ini 11.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 11.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 11.exe File opened for modification C:\Users\Admin\Links\desktop.ini 11.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 11.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 11.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 11.exe File opened for modification C:\Program Files\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 11.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 11.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 11.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 11.exe -
Drops file in Program Files directory 64 IoCs
Processes:
11.exedescription ioc process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ko.dll 11.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.properties 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_13s.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6536_36x36x32.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-16_contrast-black.png 11.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons.png.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\sz_60x42.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\resources.pri 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Images\BlankImage.png 11.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\ui-strings.js 11.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat 11.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png 11.exe File opened for modification C:\Program Files\Windows Defender\Offline\MsMpCom.dll 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\3_badges_none.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ge_60x42.png 11.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-400.png 11.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif 11.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms 11.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[70578ED8-2822].[[email protected]].eight 11.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeXMP.dll 11.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\STINTL.DLL.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl 11.exe File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\Square44x44Logo.targetsize-256.png 11.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 11.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css 11.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageAppList.scale-125.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gy_60x42.png 11.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Square.png 11.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js 11.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\ui-strings.js.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Should.Tests.ps1 11.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-search.jar 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-100_contrast-black.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_rotate.png 11.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_zh_CN.jar 11.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml 11.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\w2k_lsa_auth.dll 11.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar.id[70578ED8-2822].[[email protected]].eight 11.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\starttile.dualsim2.wink.scale-150.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectAppList.targetsize-80.png 11.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3007_40x40x32.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-200.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-24_altform-unplated.png 11.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\Microsoft.PowerShell.PackageManagement.resources.dll 11.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif 11.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms 11.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLISTI.DLL 11.exe File created C:\Program Files\Microsoft Office\root\Office16\upe.dll.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-white\Icon.targetsize-256.png 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\186.png 11.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\favicon.ico 11.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id[70578ED8-2822].[[email protected]].eight 11.exe File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo.id[70578ED8-2822].[[email protected]].eight 11.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\178.png 11.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 4836 vssadmin.exe 4800 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
11.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings 11.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
11.exepid process 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe 1748 11.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
11.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1748 11.exe Token: SeBackupPrivilege 4256 vssvc.exe Token: SeRestorePrivilege 4256 vssvc.exe Token: SeAuditPrivilege 4256 vssvc.exe Token: SeIncreaseQuotaPrivilege 4472 WMIC.exe Token: SeSecurityPrivilege 4472 WMIC.exe Token: SeTakeOwnershipPrivilege 4472 WMIC.exe Token: SeLoadDriverPrivilege 4472 WMIC.exe Token: SeSystemProfilePrivilege 4472 WMIC.exe Token: SeSystemtimePrivilege 4472 WMIC.exe Token: SeProfSingleProcessPrivilege 4472 WMIC.exe Token: SeIncBasePriorityPrivilege 4472 WMIC.exe Token: SeCreatePagefilePrivilege 4472 WMIC.exe Token: SeBackupPrivilege 4472 WMIC.exe Token: SeRestorePrivilege 4472 WMIC.exe Token: SeShutdownPrivilege 4472 WMIC.exe Token: SeDebugPrivilege 4472 WMIC.exe Token: SeSystemEnvironmentPrivilege 4472 WMIC.exe Token: SeRemoteShutdownPrivilege 4472 WMIC.exe Token: SeUndockPrivilege 4472 WMIC.exe Token: SeManageVolumePrivilege 4472 WMIC.exe Token: 33 4472 WMIC.exe Token: 34 4472 WMIC.exe Token: 35 4472 WMIC.exe Token: 36 4472 WMIC.exe Token: SeIncreaseQuotaPrivilege 4472 WMIC.exe Token: SeSecurityPrivilege 4472 WMIC.exe Token: SeTakeOwnershipPrivilege 4472 WMIC.exe Token: SeLoadDriverPrivilege 4472 WMIC.exe Token: SeSystemProfilePrivilege 4472 WMIC.exe Token: SeSystemtimePrivilege 4472 WMIC.exe Token: SeProfSingleProcessPrivilege 4472 WMIC.exe Token: SeIncBasePriorityPrivilege 4472 WMIC.exe Token: SeCreatePagefilePrivilege 4472 WMIC.exe Token: SeBackupPrivilege 4472 WMIC.exe Token: SeRestorePrivilege 4472 WMIC.exe Token: SeShutdownPrivilege 4472 WMIC.exe Token: SeDebugPrivilege 4472 WMIC.exe Token: SeSystemEnvironmentPrivilege 4472 WMIC.exe Token: SeRemoteShutdownPrivilege 4472 WMIC.exe Token: SeUndockPrivilege 4472 WMIC.exe Token: SeManageVolumePrivilege 4472 WMIC.exe Token: 33 4472 WMIC.exe Token: 34 4472 WMIC.exe Token: 35 4472 WMIC.exe Token: 36 4472 WMIC.exe Token: SeBackupPrivilege 4564 wbengine.exe Token: SeRestorePrivilege 4564 wbengine.exe Token: SeSecurityPrivilege 4564 wbengine.exe Token: SeIncreaseQuotaPrivilege 4888 WMIC.exe Token: SeSecurityPrivilege 4888 WMIC.exe Token: SeTakeOwnershipPrivilege 4888 WMIC.exe Token: SeLoadDriverPrivilege 4888 WMIC.exe Token: SeSystemProfilePrivilege 4888 WMIC.exe Token: SeSystemtimePrivilege 4888 WMIC.exe Token: SeProfSingleProcessPrivilege 4888 WMIC.exe Token: SeIncBasePriorityPrivilege 4888 WMIC.exe Token: SeCreatePagefilePrivilege 4888 WMIC.exe Token: SeBackupPrivilege 4888 WMIC.exe Token: SeRestorePrivilege 4888 WMIC.exe Token: SeShutdownPrivilege 4888 WMIC.exe Token: SeDebugPrivilege 4888 WMIC.exe Token: SeSystemEnvironmentPrivilege 4888 WMIC.exe Token: SeRemoteShutdownPrivilege 4888 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
11.execmd.execmd.execmd.exedescription pid process target process PID 1748 wrote to memory of 3736 1748 11.exe cmd.exe PID 1748 wrote to memory of 3736 1748 11.exe cmd.exe PID 1748 wrote to memory of 8 1748 11.exe cmd.exe PID 1748 wrote to memory of 8 1748 11.exe cmd.exe PID 8 wrote to memory of 4252 8 cmd.exe netsh.exe PID 8 wrote to memory of 4252 8 cmd.exe netsh.exe PID 3736 wrote to memory of 4836 3736 cmd.exe vssadmin.exe PID 3736 wrote to memory of 4836 3736 cmd.exe vssadmin.exe PID 8 wrote to memory of 4932 8 cmd.exe netsh.exe PID 8 wrote to memory of 4932 8 cmd.exe netsh.exe PID 3736 wrote to memory of 4472 3736 cmd.exe WMIC.exe PID 3736 wrote to memory of 4472 3736 cmd.exe WMIC.exe PID 3736 wrote to memory of 5044 3736 cmd.exe bcdedit.exe PID 3736 wrote to memory of 5044 3736 cmd.exe bcdedit.exe PID 3736 wrote to memory of 4320 3736 cmd.exe bcdedit.exe PID 3736 wrote to memory of 4320 3736 cmd.exe bcdedit.exe PID 3736 wrote to memory of 4920 3736 cmd.exe wbadmin.exe PID 3736 wrote to memory of 4920 3736 cmd.exe wbadmin.exe PID 1748 wrote to memory of 2764 1748 11.exe mshta.exe PID 1748 wrote to memory of 2764 1748 11.exe mshta.exe PID 1748 wrote to memory of 2764 1748 11.exe mshta.exe PID 1748 wrote to memory of 408 1748 11.exe mshta.exe PID 1748 wrote to memory of 408 1748 11.exe mshta.exe PID 1748 wrote to memory of 408 1748 11.exe mshta.exe PID 1748 wrote to memory of 2856 1748 11.exe mshta.exe PID 1748 wrote to memory of 2856 1748 11.exe mshta.exe PID 1748 wrote to memory of 2856 1748 11.exe mshta.exe PID 1748 wrote to memory of 468 1748 11.exe cmd.exe PID 1748 wrote to memory of 468 1748 11.exe cmd.exe PID 468 wrote to memory of 4800 468 cmd.exe vssadmin.exe PID 468 wrote to memory of 4800 468 cmd.exe vssadmin.exe PID 468 wrote to memory of 4888 468 cmd.exe WMIC.exe PID 468 wrote to memory of 4888 468 cmd.exe WMIC.exe PID 468 wrote to memory of 2828 468 cmd.exe bcdedit.exe PID 468 wrote to memory of 2828 468 cmd.exe bcdedit.exe PID 468 wrote to memory of 4764 468 cmd.exe bcdedit.exe PID 468 wrote to memory of 4764 468 cmd.exe bcdedit.exe PID 468 wrote to memory of 1816 468 cmd.exe wbadmin.exe PID 468 wrote to memory of 1816 468 cmd.exe wbadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"2⤵PID:5088
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4836
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:5044
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:4320
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:4920
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:4252
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:4932
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:2764
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:408
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:2856
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4800
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2828
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:4764
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1816
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3184
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4656
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD50074441412bfbd096e9bc3b37eb57b1f
SHA17f71e3292383d1c29fb724fa65dd7c6ae054e841
SHA2564532b5bb5fe5e0b3cace6ba0b8063b3ff091b650d8297eed091b5f2285bf2083
SHA512312bffa50b4564bca29aebedb46911ccf53b404c09cfff50b82bd5815f5c29fe2d675c0bf5e1167333b9efa3958d3b45bb90cf147c9c32d70d9e591910fb0ed5
-
Filesize
4KB
MD50074441412bfbd096e9bc3b37eb57b1f
SHA17f71e3292383d1c29fb724fa65dd7c6ae054e841
SHA2564532b5bb5fe5e0b3cace6ba0b8063b3ff091b650d8297eed091b5f2285bf2083
SHA512312bffa50b4564bca29aebedb46911ccf53b404c09cfff50b82bd5815f5c29fe2d675c0bf5e1167333b9efa3958d3b45bb90cf147c9c32d70d9e591910fb0ed5
-
Filesize
4KB
MD50074441412bfbd096e9bc3b37eb57b1f
SHA17f71e3292383d1c29fb724fa65dd7c6ae054e841
SHA2564532b5bb5fe5e0b3cace6ba0b8063b3ff091b650d8297eed091b5f2285bf2083
SHA512312bffa50b4564bca29aebedb46911ccf53b404c09cfff50b82bd5815f5c29fe2d675c0bf5e1167333b9efa3958d3b45bb90cf147c9c32d70d9e591910fb0ed5