Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
06-10-2023 05:38
Static task
static1
Behavioral task
behavioral1
Sample
ecdf7acb35e4268bcafb03b8af12f659.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
ecdf7acb35e4268bcafb03b8af12f659.exe
Resource
win10v2004-20230915-en
General
-
Target
ecdf7acb35e4268bcafb03b8af12f659.exe
-
Size
686KB
-
MD5
ecdf7acb35e4268bcafb03b8af12f659
-
SHA1
93b0d892bd3fbb7d3d9efb69fffdc060159d4536
-
SHA256
c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763
-
SHA512
5cd325c7a0a47921e940480c4e3f983b5b56a2906639e6f2a67d3264e039f06034d286f68e36a1b1ae7642d1ac0e274283d5d45381cede14ba83177355f1017d
-
SSDEEP
12288:UzRlcffXwJsWFAFnjJPQJq+6byL3z5SjMa1jkSC9U:ujB0JYcAa1S
Malware Config
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\Users\Admin\Desktop\info.hta
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 1780 bcdedit.exe 1684 bcdedit.exe 2752 bcdedit.exe 932 bcdedit.exe -
Renames multiple (325) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 2180 wbadmin.exe 2632 wbadmin.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 3 IoCs
Processes:
ecdf7acb35e4268bcafb03b8af12f659.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ecdf7acb35e4268bcafb03b8af12f659.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ecdf7acb35e4268bcafb03b8af12f659 = "C:\\Users\\Admin\\AppData\\Local\\ecdf7acb35e4268bcafb03b8af12f659.exe" ecdf7acb35e4268bcafb03b8af12f659.exe Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\ecdf7acb35e4268bcafb03b8af12f659 = "C:\\Users\\Admin\\AppData\\Local\\ecdf7acb35e4268bcafb03b8af12f659.exe" ecdf7acb35e4268bcafb03b8af12f659.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
ecdf7acb35e4268bcafb03b8af12f659.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BTQU2WY3\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Public\Videos\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Links\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Public\Documents\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\21HTV0YV\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAZDKRER\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Public\Music\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNNGBMMH\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\KGR8FNXC\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MTONL7NE\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OW945HRI\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Public\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\801M4P4S\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3185155662-718608226-894467740-1000\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3185155662-718608226-894467740-1000\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini ecdf7acb35e4268bcafb03b8af12f659.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ecdf7acb35e4268bcafb03b8af12f659.exeecdf7acb35e4268bcafb03b8af12f659.exedescription pid process target process PID 2184 set thread context of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 set thread context of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ecdf7acb35e4268bcafb03b8af12f659.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45F.GIF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Hardcover.thmx.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0186348.WMF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS.HXS ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left_disable.gif ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149887.WMF ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14792_.GIF ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\BUTTON.GIF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\OFFICE10.MML ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.REST.IDX_DLL ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Java\jre7\bin\JdbcOdbc.dll ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02055_.WMF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\settings.js ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\THMBNAIL.PNG ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\WinMail.exe.mui ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00218_.WMF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216588.WMF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\COMPUTER.ICO.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\TimeCard.xltx.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ENVELOPE.DLL ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Java\jre7\release ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21370_.GIF ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll ecdf7acb35e4268bcafb03b8af12f659.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo ecdf7acb35e4268bcafb03b8af12f659.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\hxdsui.dll.id[7653C5C8-3483].[[email protected]].8base ecdf7acb35e4268bcafb03b8af12f659.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 332 vssadmin.exe 2744 vssadmin.exe -
Processes:
mshta.exemshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ecdf7acb35e4268bcafb03b8af12f659.exeecdf7acb35e4268bcafb03b8af12f659.exeecdf7acb35e4268bcafb03b8af12f659.exepid process 2184 ecdf7acb35e4268bcafb03b8af12f659.exe 2704 ecdf7acb35e4268bcafb03b8af12f659.exe 2704 ecdf7acb35e4268bcafb03b8af12f659.exe 2704 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe 2088 ecdf7acb35e4268bcafb03b8af12f659.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ecdf7acb35e4268bcafb03b8af12f659.exeecdf7acb35e4268bcafb03b8af12f659.exeecdf7acb35e4268bcafb03b8af12f659.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2184 ecdf7acb35e4268bcafb03b8af12f659.exe Token: SeDebugPrivilege 2704 ecdf7acb35e4268bcafb03b8af12f659.exe Token: SeDebugPrivilege 2088 ecdf7acb35e4268bcafb03b8af12f659.exe Token: SeBackupPrivilege 2628 vssvc.exe Token: SeRestorePrivilege 2628 vssvc.exe Token: SeAuditPrivilege 2628 vssvc.exe Token: SeIncreaseQuotaPrivilege 524 WMIC.exe Token: SeSecurityPrivilege 524 WMIC.exe Token: SeTakeOwnershipPrivilege 524 WMIC.exe Token: SeLoadDriverPrivilege 524 WMIC.exe Token: SeSystemProfilePrivilege 524 WMIC.exe Token: SeSystemtimePrivilege 524 WMIC.exe Token: SeProfSingleProcessPrivilege 524 WMIC.exe Token: SeIncBasePriorityPrivilege 524 WMIC.exe Token: SeCreatePagefilePrivilege 524 WMIC.exe Token: SeBackupPrivilege 524 WMIC.exe Token: SeRestorePrivilege 524 WMIC.exe Token: SeShutdownPrivilege 524 WMIC.exe Token: SeDebugPrivilege 524 WMIC.exe Token: SeSystemEnvironmentPrivilege 524 WMIC.exe Token: SeRemoteShutdownPrivilege 524 WMIC.exe Token: SeUndockPrivilege 524 WMIC.exe Token: SeManageVolumePrivilege 524 WMIC.exe Token: 33 524 WMIC.exe Token: 34 524 WMIC.exe Token: 35 524 WMIC.exe Token: SeIncreaseQuotaPrivilege 524 WMIC.exe Token: SeSecurityPrivilege 524 WMIC.exe Token: SeTakeOwnershipPrivilege 524 WMIC.exe Token: SeLoadDriverPrivilege 524 WMIC.exe Token: SeSystemProfilePrivilege 524 WMIC.exe Token: SeSystemtimePrivilege 524 WMIC.exe Token: SeProfSingleProcessPrivilege 524 WMIC.exe Token: SeIncBasePriorityPrivilege 524 WMIC.exe Token: SeCreatePagefilePrivilege 524 WMIC.exe Token: SeBackupPrivilege 524 WMIC.exe Token: SeRestorePrivilege 524 WMIC.exe Token: SeShutdownPrivilege 524 WMIC.exe Token: SeDebugPrivilege 524 WMIC.exe Token: SeSystemEnvironmentPrivilege 524 WMIC.exe Token: SeRemoteShutdownPrivilege 524 WMIC.exe Token: SeUndockPrivilege 524 WMIC.exe Token: SeManageVolumePrivilege 524 WMIC.exe Token: 33 524 WMIC.exe Token: 34 524 WMIC.exe Token: 35 524 WMIC.exe Token: SeBackupPrivilege 2836 wbengine.exe Token: SeRestorePrivilege 2836 wbengine.exe Token: SeSecurityPrivilege 2836 wbengine.exe Token: SeIncreaseQuotaPrivilege 2456 WMIC.exe Token: SeSecurityPrivilege 2456 WMIC.exe Token: SeTakeOwnershipPrivilege 2456 WMIC.exe Token: SeLoadDriverPrivilege 2456 WMIC.exe Token: SeSystemProfilePrivilege 2456 WMIC.exe Token: SeSystemtimePrivilege 2456 WMIC.exe Token: SeProfSingleProcessPrivilege 2456 WMIC.exe Token: SeIncBasePriorityPrivilege 2456 WMIC.exe Token: SeCreatePagefilePrivilege 2456 WMIC.exe Token: SeBackupPrivilege 2456 WMIC.exe Token: SeRestorePrivilege 2456 WMIC.exe Token: SeShutdownPrivilege 2456 WMIC.exe Token: SeDebugPrivilege 2456 WMIC.exe Token: SeSystemEnvironmentPrivilege 2456 WMIC.exe Token: SeRemoteShutdownPrivilege 2456 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ecdf7acb35e4268bcafb03b8af12f659.exeecdf7acb35e4268bcafb03b8af12f659.exeecdf7acb35e4268bcafb03b8af12f659.execmd.execmd.exedescription pid process target process PID 2184 wrote to memory of 2992 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2992 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2992 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2992 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2184 wrote to memory of 2088 2184 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2444 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2444 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2444 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2444 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 1696 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 1696 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 1696 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 1696 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 3000 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 3000 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 3000 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 3000 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2704 wrote to memory of 2864 2704 ecdf7acb35e4268bcafb03b8af12f659.exe ecdf7acb35e4268bcafb03b8af12f659.exe PID 2088 wrote to memory of 2516 2088 ecdf7acb35e4268bcafb03b8af12f659.exe cmd.exe PID 2088 wrote to memory of 2516 2088 ecdf7acb35e4268bcafb03b8af12f659.exe cmd.exe PID 2088 wrote to memory of 2516 2088 ecdf7acb35e4268bcafb03b8af12f659.exe cmd.exe PID 2088 wrote to memory of 2516 2088 ecdf7acb35e4268bcafb03b8af12f659.exe cmd.exe PID 2088 wrote to memory of 2380 2088 ecdf7acb35e4268bcafb03b8af12f659.exe cmd.exe PID 2088 wrote to memory of 2380 2088 ecdf7acb35e4268bcafb03b8af12f659.exe cmd.exe PID 2088 wrote to memory of 2380 2088 ecdf7acb35e4268bcafb03b8af12f659.exe cmd.exe PID 2088 wrote to memory of 2380 2088 ecdf7acb35e4268bcafb03b8af12f659.exe cmd.exe PID 2516 wrote to memory of 2108 2516 cmd.exe netsh.exe PID 2516 wrote to memory of 2108 2516 cmd.exe netsh.exe PID 2516 wrote to memory of 2108 2516 cmd.exe netsh.exe PID 2380 wrote to memory of 332 2380 cmd.exe vssadmin.exe PID 2380 wrote to memory of 332 2380 cmd.exe vssadmin.exe PID 2380 wrote to memory of 332 2380 cmd.exe vssadmin.exe PID 2516 wrote to memory of 2376 2516 cmd.exe netsh.exe PID 2516 wrote to memory of 2376 2516 cmd.exe netsh.exe PID 2516 wrote to memory of 2376 2516 cmd.exe netsh.exe PID 2380 wrote to memory of 524 2380 cmd.exe WMIC.exe PID 2380 wrote to memory of 524 2380 cmd.exe WMIC.exe PID 2380 wrote to memory of 524 2380 cmd.exe WMIC.exe PID 2380 wrote to memory of 1780 2380 cmd.exe bcdedit.exe PID 2380 wrote to memory of 1780 2380 cmd.exe bcdedit.exe PID 2380 wrote to memory of 1780 2380 cmd.exe bcdedit.exe PID 2380 wrote to memory of 1684 2380 cmd.exe bcdedit.exe PID 2380 wrote to memory of 1684 2380 cmd.exe bcdedit.exe PID 2380 wrote to memory of 1684 2380 cmd.exe bcdedit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe"C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exeC:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe2⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exeC:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe"C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exeC:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe4⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exeC:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe4⤵PID:2864
-
C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exeC:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe4⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exeC:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe4⤵PID:1696
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:2108 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
PID:2376 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:332 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:524 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1780 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1684 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2180 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"3⤵
- Modifies Internet Explorer settings
PID:112 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"3⤵
- Modifies Internet Explorer settings
PID:2684 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"3⤵
- Modifies Internet Explorer settings
PID:2224 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"3⤵
- Modifies Internet Explorer settings
PID:3000 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:2600
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2744 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2752 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:932 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2632
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2252
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2120
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[7653C5C8-3483].[[email protected]].8base
Filesize143.1MB
MD5f4042b3ccf70d9883dbe9f370644eff5
SHA1489dd6590e98b970e3416826dbf15b5dd6541554
SHA25657643f49522ed146e9e9e485a099998cfc4932de19b0b9a6bde3cf48aecd79a0
SHA51214ad6329e514d1078e133aceb7162e6cdba9708bc88b5921d29fddbb0902b329ac5d5e8860480123f031af261b317fdda596787dd5467194cdd9aadce722a260
-
Filesize
5KB
MD5c7d91ac039a19bc89d3442539ae1625a
SHA1c3879e9dad8320655741013136895d4aaa555f84
SHA25679ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd
SHA512494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210
-
Filesize
5KB
MD5c7d91ac039a19bc89d3442539ae1625a
SHA1c3879e9dad8320655741013136895d4aaa555f84
SHA25679ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd
SHA512494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210
-
Filesize
5KB
MD5c7d91ac039a19bc89d3442539ae1625a
SHA1c3879e9dad8320655741013136895d4aaa555f84
SHA25679ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd
SHA512494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210
-
Filesize
5KB
MD5c7d91ac039a19bc89d3442539ae1625a
SHA1c3879e9dad8320655741013136895d4aaa555f84
SHA25679ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd
SHA512494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210
-
Filesize
5KB
MD5c7d91ac039a19bc89d3442539ae1625a
SHA1c3879e9dad8320655741013136895d4aaa555f84
SHA25679ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd
SHA512494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210