phobos | f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f

General

Target

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
Size

266KB
MD5

bca4f45fd63e9b7a8fb82ca92de246a2
SHA1

73819e4af3dc2200ae5eac87df6bda9c2d502134
SHA256

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f
SHA512

6ad12488a43b28e97bb43cab7250ebd5b2f5a6437850a6c023f7a15ae5538905132f25a929c2efd240f113af2d038554e562ca5eb92835063ffd83b3f5b1c704
SSDEEP

6144:I0zUjNSOjOTbdiEB241vgA0E1JtHMEtxPvGFXpbc2:I0YjNSOj+8219Np0C2

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

2436 netsh.exe
2216 netsh.exe

pid	process
2436	netsh.exe
2216	netsh.exe

Drops startup file 1 IoCs

Processes:

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC = "C:\\Users\\Admin\\AppData\\Local\\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe"	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC = "C:\\Users\\Admin\\AppData\\Local\\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe"	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3185155662-718608226-894467740-1000\desktop.ini	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3185155662-718608226-894467740-1000\desktop.ini	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\desktop.ini	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exef5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

description	pid	process	target process
PID 2544 set thread context of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 set thread context of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

Drops file in Program Files directory 64 IoCs

Processes:

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.sig.id[5A1F3B36-3483].[[email protected]].8base	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.id[5A1F3B36-3483].[[email protected]].8base	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG.wmv	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-previous-static.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\external_extensions.json.id[5A1F3B36-3483].[[email protected]].8base	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\System\wab32res.dll	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.id[5A1F3B36-3483].[[email protected]].8base	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.id[5A1F3B36-3483].[[email protected]].8base	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.id[5A1F3B36-3483].[[email protected]].8base	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.id[5A1F3B36-3483].[[email protected]].8base	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.id[5A1F3B36-3483].[[email protected]].8base	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsink.ax	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.id[5A1F3B36-3483].[[email protected]].8base	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\babyblue.png	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1876 vssadmin.exe

pid	process
1876	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

pid	process
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exef5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exef5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
Token: SeDebugPrivilege	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
Token: SeDebugPrivilege	2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
Token: SeBackupPrivilege	2848	vssvc.exe
Token: SeRestorePrivilege	2848	vssvc.exe
Token: SeAuditPrivilege	2848	vssvc.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exef5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exef5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.execmd.execmd.exe

description	pid	process	target process
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2544 wrote to memory of 2592	2544	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 1984 wrote to memory of 2692	1984	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
PID 2592 wrote to memory of 1992	2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	cmd.exe
PID 2592 wrote to memory of 1992	2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	cmd.exe
PID 2592 wrote to memory of 1992	2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	cmd.exe
PID 2592 wrote to memory of 1992	2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	cmd.exe
PID 2592 wrote to memory of 2860	2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	cmd.exe
PID 2592 wrote to memory of 2860	2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	cmd.exe
PID 2592 wrote to memory of 2860	2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	cmd.exe
PID 2592 wrote to memory of 2860	2592	f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe	cmd.exe
PID 2860 wrote to memory of 2436	2860	cmd.exe	netsh.exe
PID 2860 wrote to memory of 2436	2860	cmd.exe	netsh.exe
PID 2860 wrote to memory of 2436	2860	cmd.exe	netsh.exe
PID 1992 wrote to memory of 1876	1992	cmd.exe	vssadmin.exe
PID 1992 wrote to memory of 1876	1992	cmd.exe	vssadmin.exe
PID 1992 wrote to memory of 1876	1992	cmd.exe	vssadmin.exe
PID 2860 wrote to memory of 2216	2860	cmd.exe	netsh.exe
PID 2860 wrote to memory of 2216	2860	cmd.exe	netsh.exe
PID 2860 wrote to memory of 2216	2860	cmd.exe	netsh.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
C:\Users\Admin\AppData\Local\Temp\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Users\Admin\AppData\Local\Temp\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
C:\Users\Admin\AppData\Local\Temp\f5d99d4548470b4699b215453e9be29e48aa20616d45f704c335bd3bbe3e0a4f_JC.exe
4⤵
PID:2692

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1876

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:2436

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[5A1F3B36-3483].[[email protected]].8base

Filesize
143.1MB

MD5
5183c4190b330933cba6729e3609d07a

SHA1
fcf7fcc8ece3be33a165a2f6448c0a9b1a3f0e9b

SHA256
4e792169b7f82a209f8d23fe2c97705f8d4a7b4bb8b0400dda27f5ca5047a149

SHA512
0356d2c95374523d4fdb96999605476922f807a39e2302b10b42e273ec8b05d68cf82f876bd185f6bf439527ae725dd8e689b8fe99d76925fc0f67daf15922fd

Download Submit
memory/1984-20-0x0000000073630000-0x0000000073D1E000-memory.dmp

Filesize
6.9MB

Download
memory/1984-21-0x0000000000870000-0x00000000008B8000-memory.dmp

Filesize
288KB

Download
memory/1984-39-0x0000000073630000-0x0000000073D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2544-6-0x00000000007B0000-0x00000000007E4000-memory.dmp

Filesize
208KB

Download
memory/2544-5-0x00000000041F0000-0x0000000004230000-memory.dmp

Filesize
256KB

Download
memory/2544-19-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2544-7-0x0000000001FB0000-0x0000000001FFC000-memory.dmp

Filesize
304KB

Download
memory/2544-4-0x00000000041F0000-0x0000000004230000-memory.dmp

Filesize
256KB

Download
memory/2544-0-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2544-3-0x0000000000260000-0x00000000002A6000-memory.dmp

Filesize
280KB

Download
memory/2544-2-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2544-1-0x0000000000870000-0x00000000008B8000-memory.dmp

Filesize
288KB

Download
memory/2592-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-82-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-52-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-58-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-60-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-69-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-68-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2592-73-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2692-40-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2692-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads