Malware Analysis Report

2024-11-16 12:15

Sample ID 230505-zrenrsgg4w
Target rundll64.exe
SHA256 523d97331fcef84ff767dbb01836766d8b1be9bbeb3d76e9fda3a02ad46fd976
Tags
upx phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

523d97331fcef84ff767dbb01836766d8b1be9bbeb3d76e9fda3a02ad46fd976

Threat Level: Known bad

The file rundll64.exe was found to be: Known bad.

Malicious Activity Summary

upx phobos evasion persistence ransomware spyware stealer

Phobos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Reads user/profile data of web browsers

UPX packed file

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Program crash

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-05 20:56

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-05 20:56

Reported

2023-05-05 23:12

Platform

win7-20230220-en

Max time kernel

150s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rundll64.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\rundll64.exe C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll64 = "C:\\Users\\Admin\\AppData\\Local\\rundll64.exe" C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll64 = "C:\\Users\\Admin\\AppData\\Local\\rundll64.exe" C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fa.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\adojavas.inc C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipschs.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\descript.ion C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fi.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\el.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\desktop.ini.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado26.tlb C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\adcvbs.inc C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaosp.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF.id[A94330E5-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\History.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ms.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 284 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 284 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 284 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 284 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 284 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 284 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 284 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 284 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 564 wrote to memory of 1832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 564 wrote to memory of 1832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 564 wrote to memory of 1832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 608 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 608 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 608 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 564 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 564 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 564 wrote to memory of 700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 608 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 608 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 608 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 608 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 608 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 608 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 608 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 608 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 608 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 608 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 608 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 608 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\rundll64.exe

"C:\Users\Admin\AppData\Local\Temp\rundll64.exe"

C:\Users\Admin\AppData\Local\Temp\rundll64.exe

"C:\Users\Admin\AppData\Local\Temp\rundll64.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

N/A

Files

memory/284-54-0x0000000000020000-0x000000000002C000-memory.dmp

memory/284-55-0x0000000000030000-0x000000000003F000-memory.dmp

memory/924-56-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-60-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-64-0x0000000000400000-0x00000000047C2000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[A94330E5-3093].[[email protected]].eking

MD5 57929ab7556a5965c35638df972e5f05
SHA1 02814a3feb4799e6784fc1fadb596b5843215330
SHA256 be86996d87cd619ad96e00cff7543883a7034a8d8bb467b95a28c9f40aa488de
SHA512 1e893768f2c03965430bbbc457fce5810df66c7d2b1684d7abc8ec3784b3eec9b7f5a9b4ff27b1b47f6df4da377c85e4b7c1486deb3579465205d8b114b56c8b

memory/284-108-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-157-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-164-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-173-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-180-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-304-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-324-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-337-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-404-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-423-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-445-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/284-629-0x0000000000400000-0x00000000047C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-05 20:56

Reported

2023-05-05 23:12

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rundll64.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\rundll64.exe C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll64 = "C:\\Users\\Admin\\AppData\\Local\\rundll64.exe" C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll64 = "C:\\Users\\Admin\\AppData\\Local\\rundll64.exe" C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\CompareStep.cab C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msadomd28.tlb C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadce.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado60.tlb C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\wab32res.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msxactps.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\am.pak C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.id[373E8E06-3093].[[email protected]].eking C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\rundll64.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3340 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\rundll64.exe C:\Windows\system32\cmd.exe
PID 4180 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4180 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2012 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2012 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4180 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4180 wrote to memory of 1244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2012 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2012 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2012 wrote to memory of 3788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 3788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2012 wrote to memory of 1224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\rundll64.exe

"C:\Users\Admin\AppData\Local\Temp\rundll64.exe"

C:\Users\Admin\AppData\Local\Temp\rundll64.exe

"C:\Users\Admin\AppData\Local\Temp\rundll64.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2832 -ip 2832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 460

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
FR 40.79.141.154:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 52.152.108.96:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 37.146.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp

Files

memory/3340-133-0x0000000000030000-0x000000000003C000-memory.dmp

memory/3340-134-0x00000000001C0000-0x00000000001CF000-memory.dmp

memory/2832-135-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-138-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-140-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-150-0x0000000000400000-0x00000000047C2000-memory.dmp

C:\Program Files\7-Zip\7-zip32.dll

MD5 2f244a56091c9705794e92e6bcc38058
SHA1 3f2b518be764f29c66ba8564d1be8f4309cce747
SHA256 e322feefa8d4c76d8749f88c9b877e3e119418c4ac0b18a8cfb7260638cc588d
SHA512 3ee3835abfec9c2db4ba1f33b5e59db2400e712d5dd7cde82a12889ea1beab8ac85b923ec0447e81b3d2ce3ebd14922882653f5bcdcc81a29f225acfa4872572

memory/3340-171-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-184-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-214-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-441-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-496-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-515-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-541-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-818-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-937-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-944-0x0000000000400000-0x00000000047C2000-memory.dmp

memory/3340-951-0x0000000000400000-0x00000000047C2000-memory.dmp