phobos | bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732

General

Target

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
Size

56KB
MD5

f7352e7f837f64fb08008a0edcfe5261
SHA1

d8df24afe3e378017660648d88e4fd73e2c4e16b
SHA256

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732
SHA512

1bd3d41f564e1f3c44c02874df8e94e261a169b58e00a2348f3fd9ce9d3d5df44f3df39713343d02c69ebc597e041280dccb352244d8d3596301e007eec1d84e
SSDEEP

1536:gNeRBl5PT/rx1mzwRMSTdLpJ5qE4ROWUur:gQRrmzwR5Jk/Uur

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 91C6B8C2-3437 In case of no answer in 24 hours write us to this e-mail: [email protected] Or write us to the TOX messenger: FF06B9D86CCB0CE9D9AB2B9D26DA1765A134BE2EB2604157233090C1FBB4960B91D235AE736A You can download TOX messenger here https://tox.chat/ You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

URLs

https://tox.chat/

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 740 created 4812 740 svchost.exe bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3460 bcdedit.exe
3976 bcdedit.exe
4424 bcdedit.exe
4532 bcdedit.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

3168 wbadmin.exe
4344 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

4820 netsh.exe
4344 netsh.exe

description	pid	process	target process
PID 740 created 4812	740	svchost.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

pid	process
3460	bcdedit.exe
3976	bcdedit.exe
4424	bcdedit.exe
4532	bcdedit.exe

pid	process
3168	wbadmin.exe
4344	wbadmin.exe

pid	process
4820	netsh.exe
4344	netsh.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\FindInitialize.tiff	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Pictures\SendRevoke.tiff	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Drops startup file 3 IoCs

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732 = "C:\\Users\\Admin\\AppData\\Local\\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe"	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732 = "C:\\Users\\Admin\\AppData\\Local\\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe"	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Public\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Drops file in Program Files directory 64 IoCs

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-64.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\msedgeupdateres_te.dll	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\deploy.dll	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBEUIINTL.DLL.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\157.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\186.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-20_altform-unplated.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-400.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailWideTile.scale-100.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\ui-strings.js.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_common.dll	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\ui-strings.js	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-30_altform-unplated_contrast-black.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msadcor.dll.mui	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-150_contrast-white.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ul-oob.xrm-ms	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_CN.jar.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\3DViewerProductDescription-universal.xml	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\ui-strings.js.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.configuration_5.5.0.165303.jar.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\msedgeupdateres_sk.dll.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SplashScreen.scale-200.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLMF.DLL.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul.xrm-ms.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core.xml	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-200.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MicrosoftLogo.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\nslist.hxl	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-24.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pt-BR.pak.DATA	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files\VideoLAN\VLC\skins\skin.catalog.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-64_altform-lightunplated.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.svg.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\comment.svg	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSmallTile.scale-400_contrast-white.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\voice.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ppd.xrm-ms	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-400_contrast-white.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-125.png	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\ui-strings.js.id[91C6B8C2-3437].[[email protected]].magic	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4828 vssadmin.exe
296 vssadmin.exe

pid	process
4828	vssadmin.exe
296	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

pid	process
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exebc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeTcbPrivilege	740	svchost.exe
Token: SeTcbPrivilege	740	svchost.exe
Token: SeDebugPrivilege	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
Token: SeBackupPrivilege	1320	vssvc.exe
Token: SeRestorePrivilege	1320	vssvc.exe
Token: SeAuditPrivilege	1320	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3628	WMIC.exe
Token: SeSecurityPrivilege	3628	WMIC.exe
Token: SeTakeOwnershipPrivilege	3628	WMIC.exe
Token: SeLoadDriverPrivilege	3628	WMIC.exe
Token: SeSystemProfilePrivilege	3628	WMIC.exe
Token: SeSystemtimePrivilege	3628	WMIC.exe
Token: SeProfSingleProcessPrivilege	3628	WMIC.exe
Token: SeIncBasePriorityPrivilege	3628	WMIC.exe
Token: SeCreatePagefilePrivilege	3628	WMIC.exe
Token: SeBackupPrivilege	3628	WMIC.exe
Token: SeRestorePrivilege	3628	WMIC.exe
Token: SeShutdownPrivilege	3628	WMIC.exe
Token: SeDebugPrivilege	3628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3628	WMIC.exe
Token: SeRemoteShutdownPrivilege	3628	WMIC.exe
Token: SeUndockPrivilege	3628	WMIC.exe
Token: SeManageVolumePrivilege	3628	WMIC.exe
Token: 33	3628	WMIC.exe
Token: 34	3628	WMIC.exe
Token: 35	3628	WMIC.exe
Token: 36	3628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3628	WMIC.exe
Token: SeSecurityPrivilege	3628	WMIC.exe
Token: SeTakeOwnershipPrivilege	3628	WMIC.exe
Token: SeLoadDriverPrivilege	3628	WMIC.exe
Token: SeSystemProfilePrivilege	3628	WMIC.exe
Token: SeSystemtimePrivilege	3628	WMIC.exe
Token: SeProfSingleProcessPrivilege	3628	WMIC.exe
Token: SeIncBasePriorityPrivilege	3628	WMIC.exe
Token: SeCreatePagefilePrivilege	3628	WMIC.exe
Token: SeBackupPrivilege	3628	WMIC.exe
Token: SeRestorePrivilege	3628	WMIC.exe
Token: SeShutdownPrivilege	3628	WMIC.exe
Token: SeDebugPrivilege	3628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3628	WMIC.exe
Token: SeRemoteShutdownPrivilege	3628	WMIC.exe
Token: SeUndockPrivilege	3628	WMIC.exe
Token: SeManageVolumePrivilege	3628	WMIC.exe
Token: 33	3628	WMIC.exe
Token: 34	3628	WMIC.exe
Token: 35	3628	WMIC.exe
Token: 36	3628	WMIC.exe
Token: SeBackupPrivilege	4040	wbengine.exe
Token: SeRestorePrivilege	4040	wbengine.exe
Token: SeSecurityPrivilege	4040	wbengine.exe
Token: SeIncreaseQuotaPrivilege	3344	WMIC.exe
Token: SeSecurityPrivilege	3344	WMIC.exe
Token: SeTakeOwnershipPrivilege	3344	WMIC.exe
Token: SeLoadDriverPrivilege	3344	WMIC.exe
Token: SeSystemProfilePrivilege	3344	WMIC.exe
Token: SeSystemtimePrivilege	3344	WMIC.exe
Token: SeProfSingleProcessPrivilege	3344	WMIC.exe
Token: SeIncBasePriorityPrivilege	3344	WMIC.exe
Token: SeCreatePagefilePrivilege	3344	WMIC.exe
Token: SeBackupPrivilege	3344	WMIC.exe
Token: SeRestorePrivilege	3344	WMIC.exe
Token: SeShutdownPrivilege	3344	WMIC.exe
Token: SeDebugPrivilege	3344	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

svchost.exebc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.execmd.execmd.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 440	740	svchost.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
PID 740 wrote to memory of 440	740	svchost.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
PID 740 wrote to memory of 440	740	svchost.exe	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
PID 4812 wrote to memory of 2060	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 4812 wrote to memory of 2060	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 4812 wrote to memory of 2536	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 4812 wrote to memory of 2536	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 2536 wrote to memory of 4820	2536	cmd.exe	netsh.exe
PID 2536 wrote to memory of 4820	2536	cmd.exe	netsh.exe
PID 2060 wrote to memory of 4828	2060	cmd.exe	vssadmin.exe
PID 2060 wrote to memory of 4828	2060	cmd.exe	vssadmin.exe
PID 2060 wrote to memory of 3628	2060	cmd.exe	WMIC.exe
PID 2060 wrote to memory of 3628	2060	cmd.exe	WMIC.exe
PID 2060 wrote to memory of 3460	2060	cmd.exe	bcdedit.exe
PID 2060 wrote to memory of 3460	2060	cmd.exe	bcdedit.exe
PID 2536 wrote to memory of 4344	2536	cmd.exe	netsh.exe
PID 2536 wrote to memory of 4344	2536	cmd.exe	netsh.exe
PID 2060 wrote to memory of 3976	2060	cmd.exe	bcdedit.exe
PID 2060 wrote to memory of 3976	2060	cmd.exe	bcdedit.exe
PID 2060 wrote to memory of 3168	2060	cmd.exe	wbadmin.exe
PID 2060 wrote to memory of 3168	2060	cmd.exe	wbadmin.exe
PID 4812 wrote to memory of 3144	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	mshta.exe
PID 4812 wrote to memory of 3144	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	mshta.exe
PID 4812 wrote to memory of 3144	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	mshta.exe
PID 4812 wrote to memory of 2352	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	mshta.exe
PID 4812 wrote to memory of 2352	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	mshta.exe
PID 4812 wrote to memory of 2352	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	mshta.exe
PID 4812 wrote to memory of 3008	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	mshta.exe
PID 4812 wrote to memory of 3008	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	mshta.exe
PID 4812 wrote to memory of 3008	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	mshta.exe
PID 4812 wrote to memory of 4072	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 4812 wrote to memory of 4072	4812	bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe	cmd.exe
PID 4072 wrote to memory of 296	4072	cmd.exe	vssadmin.exe
PID 4072 wrote to memory of 296	4072	cmd.exe	vssadmin.exe
PID 4072 wrote to memory of 3344	4072	cmd.exe	WMIC.exe
PID 4072 wrote to memory of 3344	4072	cmd.exe	WMIC.exe
PID 4072 wrote to memory of 4424	4072	cmd.exe	bcdedit.exe
PID 4072 wrote to memory of 4424	4072	cmd.exe	bcdedit.exe
PID 4072 wrote to memory of 4532	4072	cmd.exe	bcdedit.exe
PID 4072 wrote to memory of 4532	4072	cmd.exe	bcdedit.exe
PID 4072 wrote to memory of 4344	4072	cmd.exe	wbadmin.exe
PID 4072 wrote to memory of 4344	4072	cmd.exe	wbadmin.exe

C:\Users\Admin\AppData\Local\Temp\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
"C:\Users\Admin\AppData\Local\Temp\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Users\Admin\AppData\Local\Temp\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe
  "C:\Users\Admin\AppData\Local\Temp\bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732.exe"
  2⤵
  PID:440
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3460
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3976
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3168
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4820
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    PID:4344
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:3144
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:2352
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:3008
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:296
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3344
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4424
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4532
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\info.hta

Filesize
5KB

MD5
0b4c27ba37e4e17413998949cd6328ac

SHA1
9709ee34476511782637fa924aebd5869e5ce421

SHA256
ad83b142f48c8937719a375c36642fb84d4e0e343e5022db6f75d8d3187f9c8c

SHA512
db3d65652258ded4d6f726699185d056816525146d575a11ebb02f5ba0426141f7188a1398a397d976a3114775a388a95f239e1e9eaf7513b38576c2df6f25ff

Download Submit
C:\info.hta

Filesize
5KB

MD5
0b4c27ba37e4e17413998949cd6328ac

SHA1
9709ee34476511782637fa924aebd5869e5ce421

SHA256
ad83b142f48c8937719a375c36642fb84d4e0e343e5022db6f75d8d3187f9c8c

SHA512
db3d65652258ded4d6f726699185d056816525146d575a11ebb02f5ba0426141f7188a1398a397d976a3114775a388a95f239e1e9eaf7513b38576c2df6f25ff

Download Submit
C:\users\public\desktop\info.hta

Filesize
5KB

MD5
0b4c27ba37e4e17413998949cd6328ac

SHA1
9709ee34476511782637fa924aebd5869e5ce421

SHA256
ad83b142f48c8937719a375c36642fb84d4e0e343e5022db6f75d8d3187f9c8c

SHA512
db3d65652258ded4d6f726699185d056816525146d575a11ebb02f5ba0426141f7188a1398a397d976a3114775a388a95f239e1e9eaf7513b38576c2df6f25ff

Download Submit
memory/296-149-0x0000000000000000-mapping.dmp

Download
memory/440-132-0x0000000000000000-mapping.dmp

Download
memory/2060-133-0x0000000000000000-mapping.dmp

Download
memory/2352-143-0x0000000000000000-mapping.dmp

Download
memory/2536-134-0x0000000000000000-mapping.dmp

Download
memory/3008-144-0x0000000000000000-mapping.dmp

Download
memory/3144-142-0x0000000000000000-mapping.dmp

Download
memory/3168-141-0x0000000000000000-mapping.dmp

Download
memory/3344-150-0x0000000000000000-mapping.dmp

Download
memory/3460-138-0x0000000000000000-mapping.dmp

Download
memory/3628-137-0x0000000000000000-mapping.dmp

Download
memory/3976-140-0x0000000000000000-mapping.dmp

Download
memory/4072-145-0x0000000000000000-mapping.dmp

Download
memory/4344-139-0x0000000000000000-mapping.dmp

Download
memory/4344-153-0x0000000000000000-mapping.dmp

Download
memory/4424-151-0x0000000000000000-mapping.dmp

Download
memory/4532-152-0x0000000000000000-mapping.dmp

Download
memory/4820-135-0x0000000000000000-mapping.dmp

Download
memory/4828-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads