phobos | d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf

General

Target

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Size

55KB
MD5

498ee5cf9c611ba7ed2379414d0bb010
SHA1

c4f779d08633a53e7a03c702eafbe3314055aa18
SHA256

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf
SHA512

8dad911c0b59485dafd6ddcf879774016f8d63690085d4840e422b44735e82140ad177e9e7663b6cc474214461693219142b55e93fd853a593925752fbaa2761
SSDEEP

1536:KNeRBl5PT/rx1mzwRMSTdLpJYXRBawzpK:KQRrmzwR5J4e

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1940 bcdedit.exe
1992 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1296 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

920 netsh.exe
1628 netsh.exe

pid	process
1940	bcdedit.exe
1992	bcdedit.exe

pid	process
1296	wbadmin.exe

pid	process
920	netsh.exe
1628	netsh.exe

Drops startup file 1 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf = "C:\\Users\\Admin\\AppData\\Local\\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf = "C:\\Users\\Admin\\AppData\\Local\\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Drops file in Program Files directory 64 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Andorra.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jakarta	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jre7\bin\jfxmedia.dll.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\BlockRepair.mp2v	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_socket.dll.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\plugin.jar.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jawt.dll	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jre7\lib\zi\Asia\Bishkek.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Kaliningrad	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Microsoft Games\Chess\en-US\Chess.exe.mui.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Internet Explorer\jsprofilerui.dll	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_100_percent.pak.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Mexico_City.id[06F472CC-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_es.properties	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1608 vssadmin.exe

pid	process
1608	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

pid	process
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Token: SeBackupPrivilege	340	vssvc.exe
Token: SeRestorePrivilege	340	vssvc.exe
Token: SeAuditPrivilege	340	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeSecurityPrivilege	1872	WMIC.exe
Token: SeTakeOwnershipPrivilege	1872	WMIC.exe
Token: SeLoadDriverPrivilege	1872	WMIC.exe
Token: SeSystemProfilePrivilege	1872	WMIC.exe
Token: SeSystemtimePrivilege	1872	WMIC.exe
Token: SeProfSingleProcessPrivilege	1872	WMIC.exe
Token: SeIncBasePriorityPrivilege	1872	WMIC.exe
Token: SeCreatePagefilePrivilege	1872	WMIC.exe
Token: SeBackupPrivilege	1872	WMIC.exe
Token: SeRestorePrivilege	1872	WMIC.exe
Token: SeShutdownPrivilege	1872	WMIC.exe
Token: SeDebugPrivilege	1872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1872	WMIC.exe
Token: SeRemoteShutdownPrivilege	1872	WMIC.exe
Token: SeUndockPrivilege	1872	WMIC.exe
Token: SeManageVolumePrivilege	1872	WMIC.exe
Token: 33	1872	WMIC.exe
Token: 34	1872	WMIC.exe
Token: 35	1872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeSecurityPrivilege	1872	WMIC.exe
Token: SeTakeOwnershipPrivilege	1872	WMIC.exe
Token: SeLoadDriverPrivilege	1872	WMIC.exe
Token: SeSystemProfilePrivilege	1872	WMIC.exe
Token: SeSystemtimePrivilege	1872	WMIC.exe
Token: SeProfSingleProcessPrivilege	1872	WMIC.exe
Token: SeIncBasePriorityPrivilege	1872	WMIC.exe
Token: SeCreatePagefilePrivilege	1872	WMIC.exe
Token: SeBackupPrivilege	1872	WMIC.exe
Token: SeRestorePrivilege	1872	WMIC.exe
Token: SeShutdownPrivilege	1872	WMIC.exe
Token: SeDebugPrivilege	1872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1872	WMIC.exe
Token: SeRemoteShutdownPrivilege	1872	WMIC.exe
Token: SeUndockPrivilege	1872	WMIC.exe
Token: SeManageVolumePrivilege	1872	WMIC.exe
Token: 33	1872	WMIC.exe
Token: 34	1872	WMIC.exe
Token: 35	1872	WMIC.exe
Token: SeBackupPrivilege	472	wbengine.exe
Token: SeRestorePrivilege	472	wbengine.exe
Token: SeSecurityPrivilege	472	wbengine.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.execmd.execmd.exe

description	pid	process	target process
PID 848 wrote to memory of 1976	848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 848 wrote to memory of 1976	848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 848 wrote to memory of 1976	848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 848 wrote to memory of 1976	848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 848 wrote to memory of 624	848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 848 wrote to memory of 624	848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 848 wrote to memory of 624	848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 848 wrote to memory of 624	848	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 1976 wrote to memory of 1608	1976	cmd.exe	vssadmin.exe
PID 1976 wrote to memory of 1608	1976	cmd.exe	vssadmin.exe
PID 1976 wrote to memory of 1608	1976	cmd.exe	vssadmin.exe
PID 624 wrote to memory of 920	624	cmd.exe	netsh.exe
PID 624 wrote to memory of 920	624	cmd.exe	netsh.exe
PID 624 wrote to memory of 920	624	cmd.exe	netsh.exe
PID 624 wrote to memory of 1628	624	cmd.exe	netsh.exe
PID 624 wrote to memory of 1628	624	cmd.exe	netsh.exe
PID 624 wrote to memory of 1628	624	cmd.exe	netsh.exe
PID 1976 wrote to memory of 1872	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1872	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1872	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 1940	1976	cmd.exe	bcdedit.exe
PID 1976 wrote to memory of 1940	1976	cmd.exe	bcdedit.exe
PID 1976 wrote to memory of 1940	1976	cmd.exe	bcdedit.exe
PID 1976 wrote to memory of 1992	1976	cmd.exe	bcdedit.exe
PID 1976 wrote to memory of 1992	1976	cmd.exe	bcdedit.exe
PID 1976 wrote to memory of 1992	1976	cmd.exe	bcdedit.exe
PID 1976 wrote to memory of 1296	1976	cmd.exe	wbadmin.exe
PID 1976 wrote to memory of 1296	1976	cmd.exe	wbadmin.exe
PID 1976 wrote to memory of 1296	1976	cmd.exe	wbadmin.exe

C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
"C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
  "C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"
  2⤵
  PID:1292
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1608
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1940
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1992
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:1296
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:920
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:1628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-57-0x0000000000000000-mapping.dmp

Download
memory/848-54-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/920-59-0x0000000000000000-mapping.dmp

Download
memory/920-60-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp

Filesize
8KB

Download
memory/1296-66-0x0000000000000000-mapping.dmp

Download
memory/1608-58-0x0000000000000000-mapping.dmp

Download
memory/1628-61-0x0000000000000000-mapping.dmp

Download
memory/1872-63-0x0000000000000000-mapping.dmp

Download
memory/1940-64-0x0000000000000000-mapping.dmp

Download
memory/1976-56-0x0000000000000000-mapping.dmp

Download
memory/1992-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads