phobos | 51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f

Resubmissions

19-09-2023 04:16

230919-evw21aeg6z 10

19-09-2023 03:45

230919-ebdfjsef3t 10

Analysis

max time kernel
300s
max time network
311s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
19-09-2023 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exe
Size

3.1MB
MD5

28e03a0e0871a90ee993db029c25ded5
SHA1

651f0c06a5d0bf37a8a7987626a89135b5384459
SHA256

51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f
SHA512

c13997f114735d9db85205b7b76f5236c0721babd850528bd066d0ed0059bd82650008bf52a8172a9a183ad8b90beb16c39b682511c6750d896ef99c10a57a60
SSDEEP

49152:q+4bzTvij0votBkRPJMMB+9YUkSk+yfzBcpoG9SbTHHB72eh2NT:q+i/i5tBkRPJMM2YUkSk5u

Score

10^/10

phobos quasar cunt evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

cunt

37.139.129.145:5512

37.139.129.145:5505

Mutex

5a092138-836c-4206-9af6-8a540736ef07

Attributes

encryption_key
D21B49539C3EA494897D43CF75CBF5F989F0792A
install_name
ntoskrnl.exe
log_directory
SystemLogs
reconnect_delay
3000
startup_key
Kernel
subdirectory
Kernel

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3856-0-0x0000000000B80000-0x0000000000EA2000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\Kernel\ntoskrnl.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Kernel\ntoskrnl.exe	family_quasar

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4452 bcdedit.exe
576 bcdedit.exe
Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1816 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

4664 netsh.exe
3668 netsh.exe
Drops startup file 1 IoCs

Processes:

JUNfRnCbnBiS.exe

description ioc process

File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\JUNfRnCbnBiS.exe JUNfRnCbnBiS.exe
Executes dropped EXE 3 IoCs

Processes:

ntoskrnl.exeJUNfRnCbnBiS.exeJUNfRnCbnBiS.exe

pid process

200 ntoskrnl.exe
1256 JUNfRnCbnBiS.exe
3556 JUNfRnCbnBiS.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4452	bcdedit.exe
576	bcdedit.exe

pid	process
1816	wbadmin.exe

pid	process
4664	netsh.exe
3668	netsh.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\JUNfRnCbnBiS.exe	JUNfRnCbnBiS.exe

pid	process
200	ntoskrnl.exe
1256	JUNfRnCbnBiS.exe
3556	JUNfRnCbnBiS.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

JUNfRnCbnBiS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JUNfRnCbnBiS = "C:\\Users\\Admin\\AppData\\Local\\JUNfRnCbnBiS.exe"	JUNfRnCbnBiS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows\CurrentVersion\Run\JUNfRnCbnBiS = "C:\\Users\\Admin\\AppData\\Local\\JUNfRnCbnBiS.exe"	JUNfRnCbnBiS.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

JUNfRnCbnBiS.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1894964180-3551943068-3090682958-1000\desktop.ini	JUNfRnCbnBiS.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1894964180-3551943068-3090682958-1000\desktop.ini	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\desktop.ini	JUNfRnCbnBiS.exe

Drops file in Program Files directory 64 IoCs

Processes:

JUNfRnCbnBiS.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jli.dll	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\3RDPARTY.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tipresx.dll	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\iexplore.exe.mui	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2iexp.dll.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\[email protected]	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunmscapi.jar.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\t2k.dll.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\wsdetect.dll	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\desktop.ini	JUNfRnCbnBiS.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pcsc.dll	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font.dll.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar	JUNfRnCbnBiS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\.eclipseproduct.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	JUNfRnCbnBiS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	JUNfRnCbnBiS.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickLearningWizard.exe	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprst.dll	JUNfRnCbnBiS.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui	JUNfRnCbnBiS.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.id[5D97A7DB-3502].[[email protected]].faust	JUNfRnCbnBiS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3804 schtasks.exe
1116 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4716 vssadmin.exe

pid	process
3804	schtasks.exe
1116	schtasks.exe

pid	process
4716	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

JUNfRnCbnBiS.exe

pid	process
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe
1256	JUNfRnCbnBiS.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exentoskrnl.exeJUNfRnCbnBiS.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	3856	51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exe
Token: SeDebugPrivilege	200	ntoskrnl.exe
Token: SeDebugPrivilege	1256	JUNfRnCbnBiS.exe
Token: SeBackupPrivilege	496	vssvc.exe
Token: SeRestorePrivilege	496	vssvc.exe
Token: SeAuditPrivilege	496	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1004	WMIC.exe
Token: SeSecurityPrivilege	1004	WMIC.exe
Token: SeTakeOwnershipPrivilege	1004	WMIC.exe
Token: SeLoadDriverPrivilege	1004	WMIC.exe
Token: SeSystemProfilePrivilege	1004	WMIC.exe
Token: SeSystemtimePrivilege	1004	WMIC.exe
Token: SeProfSingleProcessPrivilege	1004	WMIC.exe
Token: SeIncBasePriorityPrivilege	1004	WMIC.exe
Token: SeCreatePagefilePrivilege	1004	WMIC.exe
Token: SeBackupPrivilege	1004	WMIC.exe
Token: SeRestorePrivilege	1004	WMIC.exe
Token: SeShutdownPrivilege	1004	WMIC.exe
Token: SeDebugPrivilege	1004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1004	WMIC.exe
Token: SeRemoteShutdownPrivilege	1004	WMIC.exe
Token: SeUndockPrivilege	1004	WMIC.exe
Token: SeManageVolumePrivilege	1004	WMIC.exe
Token: 33	1004	WMIC.exe
Token: 34	1004	WMIC.exe
Token: 35	1004	WMIC.exe
Token: 36	1004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1004	WMIC.exe
Token: SeSecurityPrivilege	1004	WMIC.exe
Token: SeTakeOwnershipPrivilege	1004	WMIC.exe
Token: SeLoadDriverPrivilege	1004	WMIC.exe
Token: SeSystemProfilePrivilege	1004	WMIC.exe
Token: SeSystemtimePrivilege	1004	WMIC.exe
Token: SeProfSingleProcessPrivilege	1004	WMIC.exe
Token: SeIncBasePriorityPrivilege	1004	WMIC.exe
Token: SeCreatePagefilePrivilege	1004	WMIC.exe
Token: SeBackupPrivilege	1004	WMIC.exe
Token: SeRestorePrivilege	1004	WMIC.exe
Token: SeShutdownPrivilege	1004	WMIC.exe
Token: SeDebugPrivilege	1004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1004	WMIC.exe
Token: SeRemoteShutdownPrivilege	1004	WMIC.exe
Token: SeUndockPrivilege	1004	WMIC.exe
Token: SeManageVolumePrivilege	1004	WMIC.exe
Token: 33	1004	WMIC.exe
Token: 34	1004	WMIC.exe
Token: 35	1004	WMIC.exe
Token: 36	1004	WMIC.exe
Token: SeBackupPrivilege	4952	wbengine.exe
Token: SeRestorePrivilege	4952	wbengine.exe
Token: SeSecurityPrivilege	4952	wbengine.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ntoskrnl.exe

pid process

200 ntoskrnl.exe

pid	process
200	ntoskrnl.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exentoskrnl.exeJUNfRnCbnBiS.execmd.execmd.exe

description	pid	process	target process
PID 3856 wrote to memory of 3804	3856	51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exe	schtasks.exe
PID 3856 wrote to memory of 3804	3856	51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exe	schtasks.exe
PID 3856 wrote to memory of 200	3856	51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exe	ntoskrnl.exe
PID 3856 wrote to memory of 200	3856	51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exe	ntoskrnl.exe
PID 200 wrote to memory of 1116	200	ntoskrnl.exe	schtasks.exe
PID 200 wrote to memory of 1116	200	ntoskrnl.exe	schtasks.exe
PID 200 wrote to memory of 1256	200	ntoskrnl.exe	JUNfRnCbnBiS.exe
PID 200 wrote to memory of 1256	200	ntoskrnl.exe	JUNfRnCbnBiS.exe
PID 200 wrote to memory of 1256	200	ntoskrnl.exe	JUNfRnCbnBiS.exe
PID 1256 wrote to memory of 580	1256	JUNfRnCbnBiS.exe	cmd.exe
PID 1256 wrote to memory of 580	1256	JUNfRnCbnBiS.exe	cmd.exe
PID 1256 wrote to memory of 2476	1256	JUNfRnCbnBiS.exe	cmd.exe
PID 1256 wrote to memory of 2476	1256	JUNfRnCbnBiS.exe	cmd.exe
PID 2476 wrote to memory of 4664	2476	cmd.exe	netsh.exe
PID 2476 wrote to memory of 4664	2476	cmd.exe	netsh.exe
PID 580 wrote to memory of 4716	580	cmd.exe	vssadmin.exe
PID 580 wrote to memory of 4716	580	cmd.exe	vssadmin.exe
PID 580 wrote to memory of 1004	580	cmd.exe	WMIC.exe
PID 580 wrote to memory of 1004	580	cmd.exe	WMIC.exe
PID 580 wrote to memory of 4452	580	cmd.exe	bcdedit.exe
PID 580 wrote to memory of 4452	580	cmd.exe	bcdedit.exe
PID 580 wrote to memory of 576	580	cmd.exe	bcdedit.exe
PID 580 wrote to memory of 576	580	cmd.exe	bcdedit.exe
PID 580 wrote to memory of 1816	580	cmd.exe	wbadmin.exe
PID 580 wrote to memory of 1816	580	cmd.exe	wbadmin.exe
PID 2476 wrote to memory of 3668	2476	cmd.exe	netsh.exe
PID 2476 wrote to memory of 3668	2476	cmd.exe	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exe
"C:\Users\Admin\AppData\Local\Temp\51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Kernel" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kernel\ntoskrnl.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3804

C:\Users\Admin\AppData\Roaming\Kernel\ntoskrnl.exe
"C:\Users\Admin\AppData\Roaming\Kernel\ntoskrnl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Kernel" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Kernel\ntoskrnl.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1116

C:\Users\Admin\AppData\Local\Temp\JUNfRnCbnBiS.exe
"C:\Users\Admin\AppData\Local\Temp\JUNfRnCbnBiS.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\JUNfRnCbnBiS.exe
"C:\Users\Admin\AppData\Local\Temp\JUNfRnCbnBiS.exe"
4⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:4716

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:4452

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:576

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
5⤵
- Deletes backup catalog
PID:1816

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
5⤵
- Modifies Windows Firewall
PID:4664

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
5⤵
- Modifies Windows Firewall
PID:3668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip32.dll
Filesize
49KB

MD5
2f244a56091c9705794e92e6bcc38058

SHA1
3f2b518be764f29c66ba8564d1be8f4309cce747

SHA256
e322feefa8d4c76d8749f88c9b877e3e119418c4ac0b18a8cfb7260638cc588d

SHA512
3ee3835abfec9c2db4ba1f33b5e59db2400e712d5dd7cde82a12889ea1beab8ac85b923ec0447e81b3d2ce3ebd14922882653f5bcdcc81a29f225acfa4872572

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf
Filesize
57B

MD5
ab9d8ef2ffa9145d6c325cefa41d5d4e

SHA1
0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab

SHA256
65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785

SHA512
904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUNfRnCbnBiS.exe
Filesize
56KB

MD5
48ecb8dcb214011b5e89e18fa76e6440

SHA1
ccf1384b9ae04c909eee5e4a3d6cc1000ad135d5

SHA256
362b89161b579321c0780e35f0f24ac9f5128a4b27f263319a3900ae431ff87c

SHA512
a72d97127566acb1eaf53a810ed828ca17685221c39259e2849de045c36c4c5b8c8481cdf3d9404998e82a51efb8618d44114f016c8eb2f6b0a03ec6fe56369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUNfRnCbnBiS.exe
Filesize
56KB

MD5
48ecb8dcb214011b5e89e18fa76e6440

SHA1
ccf1384b9ae04c909eee5e4a3d6cc1000ad135d5

SHA256
362b89161b579321c0780e35f0f24ac9f5128a4b27f263319a3900ae431ff87c

SHA512
a72d97127566acb1eaf53a810ed828ca17685221c39259e2849de045c36c4c5b8c8481cdf3d9404998e82a51efb8618d44114f016c8eb2f6b0a03ec6fe56369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JUNfRnCbnBiS.exe
Filesize
56KB

MD5
48ecb8dcb214011b5e89e18fa76e6440

SHA1
ccf1384b9ae04c909eee5e4a3d6cc1000ad135d5

SHA256
362b89161b579321c0780e35f0f24ac9f5128a4b27f263319a3900ae431ff87c

SHA512
a72d97127566acb1eaf53a810ed828ca17685221c39259e2849de045c36c4c5b8c8481cdf3d9404998e82a51efb8618d44114f016c8eb2f6b0a03ec6fe56369d

Download Submit
C:\Users\Admin\AppData\Roaming\Kernel\ntoskrnl.exe
Filesize
3.1MB

MD5
28e03a0e0871a90ee993db029c25ded5

SHA1
651f0c06a5d0bf37a8a7987626a89135b5384459

SHA256
51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f

SHA512
c13997f114735d9db85205b7b76f5236c0721babd850528bd066d0ed0059bd82650008bf52a8172a9a183ad8b90beb16c39b682511c6750d896ef99c10a57a60

Download Submit
C:\Users\Admin\AppData\Roaming\Kernel\ntoskrnl.exe
Filesize
3.1MB

MD5
28e03a0e0871a90ee993db029c25ded5

SHA1
651f0c06a5d0bf37a8a7987626a89135b5384459

SHA256
51220927e71a1b8c5cc0ca85c454dc93f3aaae25bb3ec0dc3a9837236687d45f

SHA512
c13997f114735d9db85205b7b76f5236c0721babd850528bd066d0ed0059bd82650008bf52a8172a9a183ad8b90beb16c39b682511c6750d896ef99c10a57a60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JUNfRnCbnBiS.exe
Filesize
56KB

MD5
48ecb8dcb214011b5e89e18fa76e6440

SHA1
ccf1384b9ae04c909eee5e4a3d6cc1000ad135d5

SHA256
362b89161b579321c0780e35f0f24ac9f5128a4b27f263319a3900ae431ff87c

SHA512
a72d97127566acb1eaf53a810ed828ca17685221c39259e2849de045c36c4c5b8c8481cdf3d9404998e82a51efb8618d44114f016c8eb2f6b0a03ec6fe56369d

Download Submit
memory/200-9-0x00007FFD1B750000-0x00007FFD1C13C000-memory.dmp

Filesize
9.9MB

Download
memory/200-14-0x00007FFD1B750000-0x00007FFD1C13C000-memory.dmp

Filesize
9.9MB

Download
memory/200-15-0x000000001BFC0000-0x000000001BFD0000-memory.dmp

Filesize
64KB

Download
memory/200-16-0x000000001BFA0000-0x000000001BFB2000-memory.dmp

Filesize
72KB

Download
memory/200-17-0x000000001C720000-0x000000001C75E000-memory.dmp

Filesize
248KB

Download
memory/200-13-0x000000001C7A0000-0x000000001C852000-memory.dmp

Filesize
712KB

Download
memory/200-12-0x000000001C690000-0x000000001C6E0000-memory.dmp

Filesize
320KB

Download
memory/200-10-0x000000001BFC0000-0x000000001BFD0000-memory.dmp

Filesize
64KB

Download
memory/3856-11-0x00007FFD1B750000-0x00007FFD1C13C000-memory.dmp

Filesize
9.9MB

Download
memory/3856-0-0x0000000000B80000-0x0000000000EA2000-memory.dmp

Filesize
3.1MB

Download
memory/3856-2-0x000000001BDC0000-0x000000001BDD0000-memory.dmp

Filesize
64KB

Download
memory/3856-1-0x00007FFD1B750000-0x00007FFD1C13C000-memory.dmp

Filesize
9.9MB

Download