Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15-07-2023 03:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7166d39e9c1cb17e1728d316531242b1.exe
Resource
win7-20230712-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
7166d39e9c1cb17e1728d316531242b1.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
7166d39e9c1cb17e1728d316531242b1.exe
-
Size
164KB
-
MD5
7166d39e9c1cb17e1728d316531242b1
-
SHA1
d05810943685bcd70999ff0926215f5d6fe2637a
-
SHA256
8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
-
SHA512
b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214
-
SSDEEP
3072:0OLdjvSZkJXvtv+HQ7kvQ4sn++DXmHz5AL:RLdTS6Xvd+HQ7kvQ44L
Score
10/10
Malware Config
Extracted
Path
C:\info.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>cartilage</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #C6B5C4;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #B5CC8E;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #e6ecf2;
border-left: 10px solid #B58CB2;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FFA07A;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<div>All your files have been encrypted!</div>
</div>
<div class='bold'>All your files have been encrypted due to a security problem with your PC.</div>
<div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div>
<div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div>
<div class='bold'>Write this ID in the title of your message <span class='mark'>D09FD71D-3483</span></div>
<div>
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
</div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>
</ul>
</div>
</body>
</html>
Emails
class='mark'>[email protected]</span></div>
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
Path
C:\info.hta
Ransom Note
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC.
If you want to restore them, write us to the e-mail [email protected]
Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074
Write this ID in the title of your message D09FD71D-3483
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2668 bcdedit.exe 2540 bcdedit.exe 3036 bcdedit.exe 1388 bcdedit.exe -
Renames multiple (312) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2320 wbadmin.exe 1232 wbadmin.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 2376 netsh.exe 2828 netsh.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\7166d39e9c1cb17e1728d316531242b1.exe 7166d39e9c1cb17e1728d316531242b1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7166d39e9c1cb17e1728d316531242b1 = "C:\\Users\\Admin\\AppData\\Local\\7166d39e9c1cb17e1728d316531242b1.exe" 7166d39e9c1cb17e1728d316531242b1.exe Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\7166d39e9c1cb17e1728d316531242b1 = "C:\\Users\\Admin\\AppData\\Local\\7166d39e9c1cb17e1728d316531242b1.exe" 7166d39e9c1cb17e1728d316531242b1.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Music\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WQH5U7RP\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z13CS2YQ\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Videos\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6C1HE16Q\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4219371764-2579186923-3390623117-1000\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VMTMQO7B\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S87W4FRX\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W493OQIZ\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Music\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Public\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-4219371764-2579186923-3390623117-1000\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 7166d39e9c1cb17e1728d316531242b1.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR34F.GIF 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153089.WMF 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\setup_wm.exe.mui 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099202.GIF 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105588.WMF.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\BCSRuntime.dll.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBPQT.DPV.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Complete.xsn 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\Management.cer 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-4.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\SaveRestore.M2V.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libtimecode_plugin.dll.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00443_.WMF.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\settings.ini 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\Singapore.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Acrofx32.dll 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.INF.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195772.WMF.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jre7\bin\net.dll.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Wallis.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VISSHE.DLL 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jre7\lib\fontconfig.properties.src.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NL7Models0011.DLL.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Management.Instrumentation.Resources.dll 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\27.png 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\mscss7en.dll.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libttml_plugin.dll 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14981_.GIF.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.DPV.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral 7166d39e9c1cb17e1728d316531242b1.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar.id[D09FD71D-3483].[[email protected]].8base 7166d39e9c1cb17e1728d316531242b1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2864 vssadmin.exe 1764 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe 2692 7166d39e9c1cb17e1728d316531242b1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2692 7166d39e9c1cb17e1728d316531242b1.exe Token: SeBackupPrivilege 1452 vssvc.exe Token: SeRestorePrivilege 1452 vssvc.exe Token: SeAuditPrivilege 1452 vssvc.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: SeIncreaseQuotaPrivilege 2964 WMIC.exe Token: SeSecurityPrivilege 2964 WMIC.exe Token: SeTakeOwnershipPrivilege 2964 WMIC.exe Token: SeLoadDriverPrivilege 2964 WMIC.exe Token: SeSystemProfilePrivilege 2964 WMIC.exe Token: SeSystemtimePrivilege 2964 WMIC.exe Token: SeProfSingleProcessPrivilege 2964 WMIC.exe Token: SeIncBasePriorityPrivilege 2964 WMIC.exe Token: SeCreatePagefilePrivilege 2964 WMIC.exe Token: SeBackupPrivilege 2964 WMIC.exe Token: SeRestorePrivilege 2964 WMIC.exe Token: SeShutdownPrivilege 2964 WMIC.exe Token: SeDebugPrivilege 2964 WMIC.exe Token: SeSystemEnvironmentPrivilege 2964 WMIC.exe Token: SeRemoteShutdownPrivilege 2964 WMIC.exe Token: SeUndockPrivilege 2964 WMIC.exe Token: SeManageVolumePrivilege 2964 WMIC.exe Token: 33 2964 WMIC.exe Token: 34 2964 WMIC.exe Token: 35 2964 WMIC.exe Token: SeBackupPrivilege 1072 wbengine.exe Token: SeRestorePrivilege 1072 wbengine.exe Token: SeSecurityPrivilege 1072 wbengine.exe Token: SeIncreaseQuotaPrivilege 1212 WMIC.exe Token: SeSecurityPrivilege 1212 WMIC.exe Token: SeTakeOwnershipPrivilege 1212 WMIC.exe Token: SeLoadDriverPrivilege 1212 WMIC.exe Token: SeSystemProfilePrivilege 1212 WMIC.exe Token: SeSystemtimePrivilege 1212 WMIC.exe Token: SeProfSingleProcessPrivilege 1212 WMIC.exe Token: SeIncBasePriorityPrivilege 1212 WMIC.exe Token: SeCreatePagefilePrivilege 1212 WMIC.exe Token: SeBackupPrivilege 1212 WMIC.exe Token: SeRestorePrivilege 1212 WMIC.exe Token: SeShutdownPrivilege 1212 WMIC.exe Token: SeDebugPrivilege 1212 WMIC.exe Token: SeSystemEnvironmentPrivilege 1212 WMIC.exe Token: SeRemoteShutdownPrivilege 1212 WMIC.exe Token: SeUndockPrivilege 1212 WMIC.exe Token: SeManageVolumePrivilege 1212 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 1996 2692 7166d39e9c1cb17e1728d316531242b1.exe 29 PID 2692 wrote to memory of 1996 2692 7166d39e9c1cb17e1728d316531242b1.exe 29 PID 2692 wrote to memory of 1996 2692 7166d39e9c1cb17e1728d316531242b1.exe 29 PID 2692 wrote to memory of 1996 2692 7166d39e9c1cb17e1728d316531242b1.exe 29 PID 2692 wrote to memory of 2044 2692 7166d39e9c1cb17e1728d316531242b1.exe 30 PID 2692 wrote to memory of 2044 2692 7166d39e9c1cb17e1728d316531242b1.exe 30 PID 2692 wrote to memory of 2044 2692 7166d39e9c1cb17e1728d316531242b1.exe 30 PID 2692 wrote to memory of 2044 2692 7166d39e9c1cb17e1728d316531242b1.exe 30 PID 2044 wrote to memory of 2828 2044 cmd.exe 34 PID 2044 wrote to memory of 2828 2044 cmd.exe 34 PID 2044 wrote to memory of 2828 2044 cmd.exe 34 PID 1996 wrote to memory of 2864 1996 cmd.exe 33 PID 1996 wrote to memory of 2864 1996 cmd.exe 33 PID 1996 wrote to memory of 2864 1996 cmd.exe 33 PID 2044 wrote to memory of 2376 2044 cmd.exe 36 PID 2044 wrote to memory of 2376 2044 cmd.exe 36 PID 2044 wrote to memory of 2376 2044 cmd.exe 36 PID 1996 wrote to memory of 2964 1996 cmd.exe 41 PID 1996 wrote to memory of 2964 1996 cmd.exe 41 PID 1996 wrote to memory of 2964 1996 cmd.exe 41 PID 1996 wrote to memory of 2668 1996 cmd.exe 43 PID 1996 wrote to memory of 2668 1996 cmd.exe 43 PID 1996 wrote to memory of 2668 1996 cmd.exe 43 PID 1996 wrote to memory of 2540 1996 cmd.exe 44 PID 1996 wrote to memory of 2540 1996 cmd.exe 44 PID 1996 wrote to memory of 2540 1996 cmd.exe 44 PID 1996 wrote to memory of 2320 1996 cmd.exe 45 PID 1996 wrote to memory of 2320 1996 cmd.exe 45 PID 1996 wrote to memory of 2320 1996 cmd.exe 45 PID 2692 wrote to memory of 2992 2692 7166d39e9c1cb17e1728d316531242b1.exe 50 PID 2692 wrote to memory of 2992 2692 7166d39e9c1cb17e1728d316531242b1.exe 50 PID 2692 wrote to memory of 2992 2692 7166d39e9c1cb17e1728d316531242b1.exe 50 PID 2692 wrote to memory of 2992 2692 7166d39e9c1cb17e1728d316531242b1.exe 50 PID 2692 wrote to memory of 2780 2692 7166d39e9c1cb17e1728d316531242b1.exe 51 PID 2692 wrote to memory of 2780 2692 7166d39e9c1cb17e1728d316531242b1.exe 51 PID 2692 wrote to memory of 2780 2692 7166d39e9c1cb17e1728d316531242b1.exe 51 PID 2692 wrote to memory of 2780 2692 7166d39e9c1cb17e1728d316531242b1.exe 51 PID 2692 wrote to memory of 2184 2692 7166d39e9c1cb17e1728d316531242b1.exe 52 PID 2692 wrote to memory of 2184 2692 7166d39e9c1cb17e1728d316531242b1.exe 52 PID 2692 wrote to memory of 2184 2692 7166d39e9c1cb17e1728d316531242b1.exe 52 PID 2692 wrote to memory of 2184 2692 7166d39e9c1cb17e1728d316531242b1.exe 52 PID 2692 wrote to memory of 2712 2692 7166d39e9c1cb17e1728d316531242b1.exe 53 PID 2692 wrote to memory of 2712 2692 7166d39e9c1cb17e1728d316531242b1.exe 53 PID 2692 wrote to memory of 2712 2692 7166d39e9c1cb17e1728d316531242b1.exe 53 PID 2692 wrote to memory of 2712 2692 7166d39e9c1cb17e1728d316531242b1.exe 53 PID 2692 wrote to memory of 1732 2692 7166d39e9c1cb17e1728d316531242b1.exe 54 PID 2692 wrote to memory of 1732 2692 7166d39e9c1cb17e1728d316531242b1.exe 54 PID 2692 wrote to memory of 1732 2692 7166d39e9c1cb17e1728d316531242b1.exe 54 PID 2692 wrote to memory of 1732 2692 7166d39e9c1cb17e1728d316531242b1.exe 54 PID 1732 wrote to memory of 1764 1732 cmd.exe 56 PID 1732 wrote to memory of 1764 1732 cmd.exe 56 PID 1732 wrote to memory of 1764 1732 cmd.exe 56 PID 1732 wrote to memory of 1212 1732 cmd.exe 57 PID 1732 wrote to memory of 1212 1732 cmd.exe 57 PID 1732 wrote to memory of 1212 1732 cmd.exe 57 PID 1732 wrote to memory of 3036 1732 cmd.exe 58 PID 1732 wrote to memory of 3036 1732 cmd.exe 58 PID 1732 wrote to memory of 3036 1732 cmd.exe 58 PID 1732 wrote to memory of 1388 1732 cmd.exe 59 PID 1732 wrote to memory of 1388 1732 cmd.exe 59 PID 1732 wrote to memory of 1388 1732 cmd.exe 59 PID 1732 wrote to memory of 1232 1732 cmd.exe 60 PID 1732 wrote to memory of 1232 1732 cmd.exe 60 PID 1732 wrote to memory of 1232 1732 cmd.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7166d39e9c1cb17e1728d316531242b1.exe"C:\Users\Admin\AppData\Local\Temp\7166d39e9c1cb17e1728d316531242b1.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\7166d39e9c1cb17e1728d316531242b1.exe"C:\Users\Admin\AppData\Local\Temp\7166d39e9c1cb17e1728d316531242b1.exe"2⤵PID:2508
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2864
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2668
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2540
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2320
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:2828
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:2376
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2992
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2780
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2184
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2712
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1764
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3036
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1388
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1232
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2360
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[D09FD71D-3483].[[email protected]].8base
Filesize143.1MB
MD5ee991d2cbaed7b9721226feca7ff8a87
SHA116fb8611a9e4ad02b80233254f903ef8e24f7c3e
SHA256cb10efe6d7b81e7287ec9dc21bd764e415ee66307e6d73a9abdba8198616e3d8
SHA512fbdb3129d17ebe076b2d36719fb98f525dcb27fb22c335d66de06b1c96489f4bb7de100f1993af67f2dd06717c6f93b83a3d5558688396aa4b6d14b1f3ad425c
-
Filesize
5KB
MD58601e8cc301e8e810237f9c1189217a5
SHA13cac7e6ae76f5c117d1595e088382d37dabe11c9
SHA256a071355e9cdfa6e76cefac544dc2dda0dec1c289c1cd5dcab692f530a17278d1
SHA5129c43c1ac1b0c514ad16dc91206e2d4cfb391387273eebe499b01a3cd1f909ce173627917a126ea08f4a638235ccc397db5e30842f08812f899ad32b5f0223a7c
-
Filesize
5KB
MD58601e8cc301e8e810237f9c1189217a5
SHA13cac7e6ae76f5c117d1595e088382d37dabe11c9
SHA256a071355e9cdfa6e76cefac544dc2dda0dec1c289c1cd5dcab692f530a17278d1
SHA5129c43c1ac1b0c514ad16dc91206e2d4cfb391387273eebe499b01a3cd1f909ce173627917a126ea08f4a638235ccc397db5e30842f08812f899ad32b5f0223a7c
-
Filesize
5KB
MD58601e8cc301e8e810237f9c1189217a5
SHA13cac7e6ae76f5c117d1595e088382d37dabe11c9
SHA256a071355e9cdfa6e76cefac544dc2dda0dec1c289c1cd5dcab692f530a17278d1
SHA5129c43c1ac1b0c514ad16dc91206e2d4cfb391387273eebe499b01a3cd1f909ce173627917a126ea08f4a638235ccc397db5e30842f08812f899ad32b5f0223a7c
-
Filesize
5KB
MD58601e8cc301e8e810237f9c1189217a5
SHA13cac7e6ae76f5c117d1595e088382d37dabe11c9
SHA256a071355e9cdfa6e76cefac544dc2dda0dec1c289c1cd5dcab692f530a17278d1
SHA5129c43c1ac1b0c514ad16dc91206e2d4cfb391387273eebe499b01a3cd1f909ce173627917a126ea08f4a638235ccc397db5e30842f08812f899ad32b5f0223a7c
-
Filesize
5KB
MD58601e8cc301e8e810237f9c1189217a5
SHA13cac7e6ae76f5c117d1595e088382d37dabe11c9
SHA256a071355e9cdfa6e76cefac544dc2dda0dec1c289c1cd5dcab692f530a17278d1
SHA5129c43c1ac1b0c514ad16dc91206e2d4cfb391387273eebe499b01a3cd1f909ce173627917a126ea08f4a638235ccc397db5e30842f08812f899ad32b5f0223a7c