phobos | d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf

General

Target

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Size

55KB
MD5

498ee5cf9c611ba7ed2379414d0bb010
SHA1

c4f779d08633a53e7a03c702eafbe3314055aa18
SHA256

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf
SHA512

8dad911c0b59485dafd6ddcf879774016f8d63690085d4840e422b44735e82140ad177e9e7663b6cc474214461693219142b55e93fd853a593925752fbaa2761
SSDEEP

1536:KNeRBl5PT/rx1mzwRMSTdLpJYXRBawzpK:KQRrmzwR5J4e

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3268 created 4692 3268 svchost.exe d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4864 bcdedit.exe
4188 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3180 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3036 netsh.exe
3264 netsh.exe

description	pid	process	target process
PID 3268 created 4692	3268	svchost.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

pid	process
4864	bcdedit.exe
4188	bcdedit.exe

pid	process
3180	wbadmin.exe

pid	process
3036	netsh.exe
3264	netsh.exe

Drops startup file 1 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf = "C:\\Users\\Admin\\AppData\\Local\\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf = "C:\\Users\\Admin\\AppData\\Local\\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Drops desktop.ini file(s) 15 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4246620582-653642754-1174164128-1000\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Drops file in Program Files directory 64 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-48_altform-unplated.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\plugin.js	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_et.dll.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\THMBNAIL.PNG	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-150.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-100.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-100_contrast-black.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlInnerCircle.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-48_altform-unplated.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-30.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_2x.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\ui-strings.js.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\AppStore_icon.svg.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.dtd	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\PackageManagementDscUtilities.strings.psd1.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\ui-strings.js	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\ui-strings.js	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\ui-strings.js	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-400.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.171.37\msedgeupdateres_az.dll.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-200_contrast-black.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-100.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100_altform-lightunplated.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\clrcompression.dll	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hu.pak	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jce.jar.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Preview.scale-200_layoutdir-RTL.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\ui-strings.js	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\TextIntelligence.dll.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\69.png	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe.id[54B162C7-2874].[[email protected]].eking	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

5028 vssadmin.exe

pid	process
5028	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

pid	process
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

svchost.exed50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeTcbPrivilege	3268	svchost.exe
Token: SeTcbPrivilege	3268	svchost.exe
Token: SeDebugPrivilege	4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Token: SeBackupPrivilege	2808	vssvc.exe
Token: SeRestorePrivilege	2808	vssvc.exe
Token: SeAuditPrivilege	2808	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1412	WMIC.exe
Token: SeSecurityPrivilege	1412	WMIC.exe
Token: SeTakeOwnershipPrivilege	1412	WMIC.exe
Token: SeLoadDriverPrivilege	1412	WMIC.exe
Token: SeSystemProfilePrivilege	1412	WMIC.exe
Token: SeSystemtimePrivilege	1412	WMIC.exe
Token: SeProfSingleProcessPrivilege	1412	WMIC.exe
Token: SeIncBasePriorityPrivilege	1412	WMIC.exe
Token: SeCreatePagefilePrivilege	1412	WMIC.exe
Token: SeBackupPrivilege	1412	WMIC.exe
Token: SeRestorePrivilege	1412	WMIC.exe
Token: SeShutdownPrivilege	1412	WMIC.exe
Token: SeDebugPrivilege	1412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1412	WMIC.exe
Token: SeRemoteShutdownPrivilege	1412	WMIC.exe
Token: SeUndockPrivilege	1412	WMIC.exe
Token: SeManageVolumePrivilege	1412	WMIC.exe
Token: 33	1412	WMIC.exe
Token: 34	1412	WMIC.exe
Token: 35	1412	WMIC.exe
Token: 36	1412	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1412	WMIC.exe
Token: SeSecurityPrivilege	1412	WMIC.exe
Token: SeTakeOwnershipPrivilege	1412	WMIC.exe
Token: SeLoadDriverPrivilege	1412	WMIC.exe
Token: SeSystemProfilePrivilege	1412	WMIC.exe
Token: SeSystemtimePrivilege	1412	WMIC.exe
Token: SeProfSingleProcessPrivilege	1412	WMIC.exe
Token: SeIncBasePriorityPrivilege	1412	WMIC.exe
Token: SeCreatePagefilePrivilege	1412	WMIC.exe
Token: SeBackupPrivilege	1412	WMIC.exe
Token: SeRestorePrivilege	1412	WMIC.exe
Token: SeShutdownPrivilege	1412	WMIC.exe
Token: SeDebugPrivilege	1412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1412	WMIC.exe
Token: SeRemoteShutdownPrivilege	1412	WMIC.exe
Token: SeUndockPrivilege	1412	WMIC.exe
Token: SeManageVolumePrivilege	1412	WMIC.exe
Token: 33	1412	WMIC.exe
Token: 34	1412	WMIC.exe
Token: 35	1412	WMIC.exe
Token: 36	1412	WMIC.exe
Token: SeBackupPrivilege	364	wbengine.exe
Token: SeRestorePrivilege	364	wbengine.exe
Token: SeSecurityPrivilege	364	wbengine.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

svchost.exed50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.execmd.execmd.exe

description	pid	process	target process
PID 3268 wrote to memory of 4916	3268	svchost.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
PID 3268 wrote to memory of 4916	3268	svchost.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
PID 3268 wrote to memory of 4916	3268	svchost.exe	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
PID 4692 wrote to memory of 4380	4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 4692 wrote to memory of 4380	4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 4692 wrote to memory of 1480	4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 4692 wrote to memory of 1480	4692	d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe	cmd.exe
PID 4380 wrote to memory of 5028	4380	cmd.exe	vssadmin.exe
PID 4380 wrote to memory of 5028	4380	cmd.exe	vssadmin.exe
PID 1480 wrote to memory of 3036	1480	cmd.exe	netsh.exe
PID 1480 wrote to memory of 3036	1480	cmd.exe	netsh.exe
PID 1480 wrote to memory of 3264	1480	cmd.exe	netsh.exe
PID 1480 wrote to memory of 3264	1480	cmd.exe	netsh.exe
PID 4380 wrote to memory of 1412	4380	cmd.exe	WMIC.exe
PID 4380 wrote to memory of 1412	4380	cmd.exe	WMIC.exe
PID 4380 wrote to memory of 4864	4380	cmd.exe	bcdedit.exe
PID 4380 wrote to memory of 4864	4380	cmd.exe	bcdedit.exe
PID 4380 wrote to memory of 4188	4380	cmd.exe	bcdedit.exe
PID 4380 wrote to memory of 4188	4380	cmd.exe	bcdedit.exe
PID 4380 wrote to memory of 3180	4380	cmd.exe	wbadmin.exe
PID 4380 wrote to memory of 3180	4380	cmd.exe	wbadmin.exe

C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
"C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
  "C:\Users\Admin\AppData\Local\Temp\d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe"
  2⤵
  PID:4916
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5028
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4864
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4188
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3180
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3036
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268