Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 11:23
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231130-en
General
-
Target
tmp.exe
-
Size
56KB
-
MD5
3ce6441e1d986483a8c80a8aa861d23a
-
SHA1
60d281e634e3abbb8f2f28ecfe2c39816facd5fd
-
SHA256
59ee1056869903e9f34f0c61cfb9af08b1ae85d2ac4844c6c888671047bf52dd
-
SHA512
eaed716e28f12b50a1ab93165edd706ee1f53edf3119fd5b5ea31c61aaa5f34d49eebdcacb68e6f9225780c6951bf7f0ac374989a3745e5c1b59e9a7a6fbbee2
-
SSDEEP
1536:SNeRBl5PT/rx1mzwRMSTdLpJi88RHYIpzkQe:SQRrmzwR5JIHY2Ne
Malware Config
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\Users\Admin\Desktop\info.hta
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 1044 bcdedit.exe 2960 bcdedit.exe 1940 bcdedit.exe 892 bcdedit.exe -
Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 1636 wbadmin.exe 1296 wbadmin.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 3 IoCs
Processes:
tmp.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\tmp.exe tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[508F52E5-3404].[[email protected]].Elbie tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp = "C:\\Users\\Admin\\AppData\\Local\\tmp.exe" tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmp = "C:\\Users\\Admin\\AppData\\Local\\tmp.exe" tmp.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Public\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3I8TNX97\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\D5NM0E2V\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Documents\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini tmp.exe File opened for modification C:\Users\Public\Desktop\desktop.ini tmp.exe File opened for modification C:\Users\Public\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KZY3GE37\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Links\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Videos\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini tmp.exe File opened for modification C:\Users\Public\Downloads\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Music\desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini tmp.exe File opened for modification C:\Users\Public\Pictures\desktop.ini tmp.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B23MSSI3\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini tmp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6S505ELS\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Searches\desktop.ini tmp.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UK06G3BB\desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini tmp.exe File opened for modification C:\Users\Public\Libraries\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACR0LGSN\desktop.ini tmp.exe File opened for modification C:\Users\Public\Music\desktop.ini tmp.exe File opened for modification C:\Users\Public\Videos\desktop.ini tmp.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3470981204-343661084-3367201002-1000\desktop.ini tmp.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini tmp.exe -
Drops file in Program Files directory 64 IoCs
Processes:
tmp.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER11.POC.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui tmp.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02261_.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Form.zip tmp.exe File opened for modification C:\Program Files (x86)\Windows Media Player\WMPNSSUI.dll tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml tmp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_down.png tmp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BUSINESS.ONE tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar tmp.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45F.GIF.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECREC.CFG.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV tmp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Utilities.v3.5.resources.dll tmp.exe File opened for modification C:\Program Files\Windows Journal\de-DE\jnwmon.dll.mui tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF tmp.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\drag.png tmp.exe File opened for modification C:\Program Files\DVD Maker\fr-FR\WMM2CLIP.dll.mui tmp.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar tmp.exe File opened for modification C:\Program Files\Mozilla Firefox\mozavcodec.dll.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif tmp.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287018.WMF.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe tmp.exe File created C:\Program Files\Java\jre7\lib\psfontj2d.properties.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx tmp.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXT.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll tmp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACER3X.DLL tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\MLA.XSL.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSWORD.OLB.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml tmp.exe File created C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.catalog tmp.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\FPWEC.DLL.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART1.BDR tmp.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip tmp.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-nodes_zh_CN.jar.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS.id[508F52E5-3404].[[email protected]].Elbie tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN044.XML.id[508F52E5-3404].[[email protected]].Elbie tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2656 vssadmin.exe 2972 vssadmin.exe -
Processes:
mshta.exemshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exepid process 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe 1476 tmp.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tmp.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1476 tmp.exe Token: SeBackupPrivilege 2832 vssvc.exe Token: SeRestorePrivilege 2832 vssvc.exe Token: SeAuditPrivilege 2832 vssvc.exe Token: SeIncreaseQuotaPrivilege 2552 WMIC.exe Token: SeSecurityPrivilege 2552 WMIC.exe Token: SeTakeOwnershipPrivilege 2552 WMIC.exe Token: SeLoadDriverPrivilege 2552 WMIC.exe Token: SeSystemProfilePrivilege 2552 WMIC.exe Token: SeSystemtimePrivilege 2552 WMIC.exe Token: SeProfSingleProcessPrivilege 2552 WMIC.exe Token: SeIncBasePriorityPrivilege 2552 WMIC.exe Token: SeCreatePagefilePrivilege 2552 WMIC.exe Token: SeBackupPrivilege 2552 WMIC.exe Token: SeRestorePrivilege 2552 WMIC.exe Token: SeShutdownPrivilege 2552 WMIC.exe Token: SeDebugPrivilege 2552 WMIC.exe Token: SeSystemEnvironmentPrivilege 2552 WMIC.exe Token: SeRemoteShutdownPrivilege 2552 WMIC.exe Token: SeUndockPrivilege 2552 WMIC.exe Token: SeManageVolumePrivilege 2552 WMIC.exe Token: 33 2552 WMIC.exe Token: 34 2552 WMIC.exe Token: 35 2552 WMIC.exe Token: SeIncreaseQuotaPrivilege 2552 WMIC.exe Token: SeSecurityPrivilege 2552 WMIC.exe Token: SeTakeOwnershipPrivilege 2552 WMIC.exe Token: SeLoadDriverPrivilege 2552 WMIC.exe Token: SeSystemProfilePrivilege 2552 WMIC.exe Token: SeSystemtimePrivilege 2552 WMIC.exe Token: SeProfSingleProcessPrivilege 2552 WMIC.exe Token: SeIncBasePriorityPrivilege 2552 WMIC.exe Token: SeCreatePagefilePrivilege 2552 WMIC.exe Token: SeBackupPrivilege 2552 WMIC.exe Token: SeRestorePrivilege 2552 WMIC.exe Token: SeShutdownPrivilege 2552 WMIC.exe Token: SeDebugPrivilege 2552 WMIC.exe Token: SeSystemEnvironmentPrivilege 2552 WMIC.exe Token: SeRemoteShutdownPrivilege 2552 WMIC.exe Token: SeUndockPrivilege 2552 WMIC.exe Token: SeManageVolumePrivilege 2552 WMIC.exe Token: 33 2552 WMIC.exe Token: 34 2552 WMIC.exe Token: 35 2552 WMIC.exe Token: SeBackupPrivilege 1860 wbengine.exe Token: SeRestorePrivilege 1860 wbengine.exe Token: SeSecurityPrivilege 1860 wbengine.exe Token: SeIncreaseQuotaPrivilege 2436 WMIC.exe Token: SeSecurityPrivilege 2436 WMIC.exe Token: SeTakeOwnershipPrivilege 2436 WMIC.exe Token: SeLoadDriverPrivilege 2436 WMIC.exe Token: SeSystemProfilePrivilege 2436 WMIC.exe Token: SeSystemtimePrivilege 2436 WMIC.exe Token: SeProfSingleProcessPrivilege 2436 WMIC.exe Token: SeIncBasePriorityPrivilege 2436 WMIC.exe Token: SeCreatePagefilePrivilege 2436 WMIC.exe Token: SeBackupPrivilege 2436 WMIC.exe Token: SeRestorePrivilege 2436 WMIC.exe Token: SeShutdownPrivilege 2436 WMIC.exe Token: SeDebugPrivilege 2436 WMIC.exe Token: SeSystemEnvironmentPrivilege 2436 WMIC.exe Token: SeRemoteShutdownPrivilege 2436 WMIC.exe Token: SeUndockPrivilege 2436 WMIC.exe Token: SeManageVolumePrivilege 2436 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.execmd.execmd.execmd.exedescription pid process target process PID 1476 wrote to memory of 2420 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2420 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2420 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2420 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2384 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2384 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2384 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2384 1476 tmp.exe cmd.exe PID 2420 wrote to memory of 2612 2420 cmd.exe netsh.exe PID 2420 wrote to memory of 2612 2420 cmd.exe netsh.exe PID 2420 wrote to memory of 2612 2420 cmd.exe netsh.exe PID 2384 wrote to memory of 2656 2384 cmd.exe vssadmin.exe PID 2384 wrote to memory of 2656 2384 cmd.exe vssadmin.exe PID 2384 wrote to memory of 2656 2384 cmd.exe vssadmin.exe PID 2420 wrote to memory of 2044 2420 cmd.exe netsh.exe PID 2420 wrote to memory of 2044 2420 cmd.exe netsh.exe PID 2420 wrote to memory of 2044 2420 cmd.exe netsh.exe PID 2384 wrote to memory of 2552 2384 cmd.exe WMIC.exe PID 2384 wrote to memory of 2552 2384 cmd.exe WMIC.exe PID 2384 wrote to memory of 2552 2384 cmd.exe WMIC.exe PID 2384 wrote to memory of 1044 2384 cmd.exe bcdedit.exe PID 2384 wrote to memory of 1044 2384 cmd.exe bcdedit.exe PID 2384 wrote to memory of 1044 2384 cmd.exe bcdedit.exe PID 2384 wrote to memory of 2960 2384 cmd.exe bcdedit.exe PID 2384 wrote to memory of 2960 2384 cmd.exe bcdedit.exe PID 2384 wrote to memory of 2960 2384 cmd.exe bcdedit.exe PID 2384 wrote to memory of 1636 2384 cmd.exe wbadmin.exe PID 2384 wrote to memory of 1636 2384 cmd.exe wbadmin.exe PID 2384 wrote to memory of 1636 2384 cmd.exe wbadmin.exe PID 1476 wrote to memory of 2476 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2476 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2476 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2476 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2612 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2612 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2612 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2612 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2768 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2768 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2768 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2768 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 1796 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 1796 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 1796 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 1796 1476 tmp.exe mshta.exe PID 1476 wrote to memory of 2232 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2232 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2232 1476 tmp.exe cmd.exe PID 1476 wrote to memory of 2232 1476 tmp.exe cmd.exe PID 2232 wrote to memory of 2972 2232 cmd.exe vssadmin.exe PID 2232 wrote to memory of 2972 2232 cmd.exe vssadmin.exe PID 2232 wrote to memory of 2972 2232 cmd.exe vssadmin.exe PID 2232 wrote to memory of 2436 2232 cmd.exe WMIC.exe PID 2232 wrote to memory of 2436 2232 cmd.exe WMIC.exe PID 2232 wrote to memory of 2436 2232 cmd.exe WMIC.exe PID 2232 wrote to memory of 1940 2232 cmd.exe bcdedit.exe PID 2232 wrote to memory of 1940 2232 cmd.exe bcdedit.exe PID 2232 wrote to memory of 1940 2232 cmd.exe bcdedit.exe PID 2232 wrote to memory of 892 2232 cmd.exe bcdedit.exe PID 2232 wrote to memory of 892 2232 cmd.exe bcdedit.exe PID 2232 wrote to memory of 892 2232 cmd.exe bcdedit.exe PID 2232 wrote to memory of 1296 2232 cmd.exe wbadmin.exe PID 2232 wrote to memory of 1296 2232 cmd.exe wbadmin.exe PID 2232 wrote to memory of 1296 2232 cmd.exe wbadmin.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵PID:2876
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:2612 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:2044 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2656 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1044 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2960 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1636 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2476 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2612 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2768 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"2⤵
- Modifies Internet Explorer settings
PID:1796 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2972 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:1940 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:892 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1296
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2192
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2200
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[508F52E5-3404].[[email protected]].ElbieFilesize
143.1MB
MD51815a89c32f2e0f5453c9a5db2475553
SHA1635eb91cf42581af319122ca4b9ead419187b1e5
SHA25679067254f308cf78bc3930cf086489c360f60cb5364fd3bf277e8dc08e359182
SHA5124b4c57e908b7cc333165d696fae579461b1808c98dd5b4ac0547fb2f639c5e10c379aaf2cce65de173547b91ead63ebf045000c9e1a9db7c6d87b64a5131a5fb
-
C:\Users\Admin\Desktop\info.htaFilesize
5KB
MD57653d26e079ee4e15235944da673a3ab
SHA14649d99039cac31d15f9f6ab01a12dba44e6a4b1
SHA256319dd9a7f70ca2da309698a9e8cf9e1dd47bf807efed2c7403f4c247305ad9dc
SHA512a1bf38ed164f57ab5fc8f5911a6afae6ab4248424736868ab27e4ae02f1878c81b0f2cca6fc3665b96a9a0f181ee6aa6b4789ea803bfe867edde340349092e2c
-
C:\info.htaFilesize
5KB
MD57653d26e079ee4e15235944da673a3ab
SHA14649d99039cac31d15f9f6ab01a12dba44e6a4b1
SHA256319dd9a7f70ca2da309698a9e8cf9e1dd47bf807efed2c7403f4c247305ad9dc
SHA512a1bf38ed164f57ab5fc8f5911a6afae6ab4248424736868ab27e4ae02f1878c81b0f2cca6fc3665b96a9a0f181ee6aa6b4789ea803bfe867edde340349092e2c
-
C:\info.htaFilesize
5KB
MD57653d26e079ee4e15235944da673a3ab
SHA14649d99039cac31d15f9f6ab01a12dba44e6a4b1
SHA256319dd9a7f70ca2da309698a9e8cf9e1dd47bf807efed2c7403f4c247305ad9dc
SHA512a1bf38ed164f57ab5fc8f5911a6afae6ab4248424736868ab27e4ae02f1878c81b0f2cca6fc3665b96a9a0f181ee6aa6b4789ea803bfe867edde340349092e2c
-
C:\users\public\desktop\info.htaFilesize
5KB
MD57653d26e079ee4e15235944da673a3ab
SHA14649d99039cac31d15f9f6ab01a12dba44e6a4b1
SHA256319dd9a7f70ca2da309698a9e8cf9e1dd47bf807efed2c7403f4c247305ad9dc
SHA512a1bf38ed164f57ab5fc8f5911a6afae6ab4248424736868ab27e4ae02f1878c81b0f2cca6fc3665b96a9a0f181ee6aa6b4789ea803bfe867edde340349092e2c
-
F:\info.htaFilesize
5KB
MD57653d26e079ee4e15235944da673a3ab
SHA14649d99039cac31d15f9f6ab01a12dba44e6a4b1
SHA256319dd9a7f70ca2da309698a9e8cf9e1dd47bf807efed2c7403f4c247305ad9dc
SHA512a1bf38ed164f57ab5fc8f5911a6afae6ab4248424736868ab27e4ae02f1878c81b0f2cca6fc3665b96a9a0f181ee6aa6b4789ea803bfe867edde340349092e2c