phobos | cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7

General

Target

lsess.exe
Size

55KB
MD5

fd0ef924c1edc067cd2298024a7057b0
SHA1

0a32d7600869f37f0fbe2a5c996cda5111d4a4d1
SHA256

cd89fd5bf3049fad64718c190ae014b4c9c0d141e3550d63008c1c5c71d50bd7
SHA512

275efb2d22ceaed29c4c4563782f648663ea752a6b08d4472ba12d29dc76c57b2120c3a5984d08f5a0ebdd3abf68e6ea8af1325ff9eb24830c43c8c489ad44c0
SSDEEP

1536:HNeRBl5PT/rx1mzwRMSTdLpJ47kmvBMRM:HQRrmzwR5JWk2+

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

768 bcdedit.exe
300 bcdedit.exe
2596 bcdedit.exe
3352 bcdedit.exe
Renames multiple (495) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

2544 wbadmin.exe
1080 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4436 netsh.exe
4592 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

lsess.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation lsess.exe

pid	process
768	bcdedit.exe
300	bcdedit.exe
2596	bcdedit.exe
3352	bcdedit.exe

pid	process
2544	wbadmin.exe
1080	wbadmin.exe

pid	process
4436	netsh.exe
4592	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	lsess.exe

Drops startup file 3 IoCs

Processes:

lsess.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\lsess.exe	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	lsess.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lsess.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsess = "C:\\Users\\Admin\\AppData\\Local\\lsess.exe"	lsess.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsess = "C:\\Users\\Admin\\AppData\\Local\\lsess.exe"	lsess.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

lsess.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	lsess.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	lsess.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-768304381-2824894965-3840216961-1000\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	lsess.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	lsess.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	lsess.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	lsess.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	lsess.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	lsess.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	lsess.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	lsess.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	lsess.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	lsess.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	lsess.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	lsess.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	lsess.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	lsess.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	lsess.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	lsess.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	lsess.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	lsess.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	lsess.exe
File opened for modification	C:\Users\Public\desktop.ini	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	lsess.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	lsess.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	lsess.exe

Drops file in Program Files directory 64 IoCs

Processes:

lsess.exe

description	ioc	process
File created	C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\MedTile.scale-125.png	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LargeTile.scale-200.png	lsess.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\powered-by-foursquare.png	lsess.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Fonts\FHubMDL2.ttf	lsess.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui	lsess.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.Proxies.dll	lsess.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\ui-strings.js.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\ui-strings.js	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	lsess.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-100.png	lsess.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\selection-actions.png.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\ui-strings.js.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-oob.xrm-ms.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sunglasses.png	lsess.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\ui-strings.js.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.Win32.Primitives.dll	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File created	C:\Program Files\Java\jre-1.8\lib\fontconfig.properties.src.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Design.Resources.dll	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-200.png	lsess.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-125.png	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\LICENSE	lsess.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_shared_multi_filetype.svg.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionMedTile.scale-200.png	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxBadge.scale-400.png	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100_contrast-high.png	lsess.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\ui-strings.js	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_SplashScreen.scale-200.png	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-24_altform-unplated.png	lsess.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-100.png	lsess.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\plugin.js.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugin.js	lsess.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png	lsess.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	lsess.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Shared.Windows.dll	lsess.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js	lsess.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\profilePic.png	lsess.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	lsess.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js	lsess.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\System.Windows.Controls.Ribbon.resources.dll.id[68F7F56C-3413].[[email protected]].Elbie	lsess.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\officemui.msi.16.en-us.vreg.dat	lsess.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4560 vssadmin.exe
4652 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

lsess.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings lsess.exe

pid	process
4560	vssadmin.exe
4652	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	lsess.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

lsess.exe

pid	process
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe
4528	lsess.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

lsess.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4528	lsess.exe
Token: SeBackupPrivilege	4384	vssvc.exe
Token: SeRestorePrivilege	4384	vssvc.exe
Token: SeAuditPrivilege	4384	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1236	WMIC.exe
Token: SeSecurityPrivilege	1236	WMIC.exe
Token: SeTakeOwnershipPrivilege	1236	WMIC.exe
Token: SeLoadDriverPrivilege	1236	WMIC.exe
Token: SeSystemProfilePrivilege	1236	WMIC.exe
Token: SeSystemtimePrivilege	1236	WMIC.exe
Token: SeProfSingleProcessPrivilege	1236	WMIC.exe
Token: SeIncBasePriorityPrivilege	1236	WMIC.exe
Token: SeCreatePagefilePrivilege	1236	WMIC.exe
Token: SeBackupPrivilege	1236	WMIC.exe
Token: SeRestorePrivilege	1236	WMIC.exe
Token: SeShutdownPrivilege	1236	WMIC.exe
Token: SeDebugPrivilege	1236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1236	WMIC.exe
Token: SeRemoteShutdownPrivilege	1236	WMIC.exe
Token: SeUndockPrivilege	1236	WMIC.exe
Token: SeManageVolumePrivilege	1236	WMIC.exe
Token: 33	1236	WMIC.exe
Token: 34	1236	WMIC.exe
Token: 35	1236	WMIC.exe
Token: 36	1236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1236	WMIC.exe
Token: SeSecurityPrivilege	1236	WMIC.exe
Token: SeTakeOwnershipPrivilege	1236	WMIC.exe
Token: SeLoadDriverPrivilege	1236	WMIC.exe
Token: SeSystemProfilePrivilege	1236	WMIC.exe
Token: SeSystemtimePrivilege	1236	WMIC.exe
Token: SeProfSingleProcessPrivilege	1236	WMIC.exe
Token: SeIncBasePriorityPrivilege	1236	WMIC.exe
Token: SeCreatePagefilePrivilege	1236	WMIC.exe
Token: SeBackupPrivilege	1236	WMIC.exe
Token: SeRestorePrivilege	1236	WMIC.exe
Token: SeShutdownPrivilege	1236	WMIC.exe
Token: SeDebugPrivilege	1236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1236	WMIC.exe
Token: SeRemoteShutdownPrivilege	1236	WMIC.exe
Token: SeUndockPrivilege	1236	WMIC.exe
Token: SeManageVolumePrivilege	1236	WMIC.exe
Token: 33	1236	WMIC.exe
Token: 34	1236	WMIC.exe
Token: 35	1236	WMIC.exe
Token: 36	1236	WMIC.exe
Token: SeBackupPrivilege	2292	wbengine.exe
Token: SeRestorePrivilege	2292	wbengine.exe
Token: SeSecurityPrivilege	2292	wbengine.exe
Token: SeIncreaseQuotaPrivilege	796	WMIC.exe
Token: SeSecurityPrivilege	796	WMIC.exe
Token: SeTakeOwnershipPrivilege	796	WMIC.exe
Token: SeLoadDriverPrivilege	796	WMIC.exe
Token: SeSystemProfilePrivilege	796	WMIC.exe
Token: SeSystemtimePrivilege	796	WMIC.exe
Token: SeProfSingleProcessPrivilege	796	WMIC.exe
Token: SeIncBasePriorityPrivilege	796	WMIC.exe
Token: SeCreatePagefilePrivilege	796	WMIC.exe
Token: SeBackupPrivilege	796	WMIC.exe
Token: SeRestorePrivilege	796	WMIC.exe
Token: SeShutdownPrivilege	796	WMIC.exe
Token: SeDebugPrivilege	796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	796	WMIC.exe
Token: SeRemoteShutdownPrivilege	796	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

lsess.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4528 wrote to memory of 3400	4528	lsess.exe	cmd.exe
PID 4528 wrote to memory of 3400	4528	lsess.exe	cmd.exe
PID 4528 wrote to memory of 2788	4528	lsess.exe	cmd.exe
PID 4528 wrote to memory of 2788	4528	lsess.exe	cmd.exe
PID 2788 wrote to memory of 4436	2788	cmd.exe	netsh.exe
PID 2788 wrote to memory of 4436	2788	cmd.exe	netsh.exe
PID 3400 wrote to memory of 4560	3400	cmd.exe	vssadmin.exe
PID 3400 wrote to memory of 4560	3400	cmd.exe	vssadmin.exe
PID 2788 wrote to memory of 4592	2788	cmd.exe	netsh.exe
PID 2788 wrote to memory of 4592	2788	cmd.exe	netsh.exe
PID 3400 wrote to memory of 1236	3400	cmd.exe	WMIC.exe
PID 3400 wrote to memory of 1236	3400	cmd.exe	WMIC.exe
PID 3400 wrote to memory of 768	3400	cmd.exe	bcdedit.exe
PID 3400 wrote to memory of 768	3400	cmd.exe	bcdedit.exe
PID 3400 wrote to memory of 300	3400	cmd.exe	bcdedit.exe
PID 3400 wrote to memory of 300	3400	cmd.exe	bcdedit.exe
PID 3400 wrote to memory of 2544	3400	cmd.exe	wbadmin.exe
PID 3400 wrote to memory of 2544	3400	cmd.exe	wbadmin.exe
PID 4528 wrote to memory of 5084	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 5084	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 5084	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 1480	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 1480	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 1480	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 628	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 628	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 628	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 5052	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 5052	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 5052	4528	lsess.exe	mshta.exe
PID 4528 wrote to memory of 1580	4528	lsess.exe	cmd.exe
PID 4528 wrote to memory of 1580	4528	lsess.exe	cmd.exe
PID 1580 wrote to memory of 4652	1580	cmd.exe	vssadmin.exe
PID 1580 wrote to memory of 4652	1580	cmd.exe	vssadmin.exe
PID 1580 wrote to memory of 796	1580	cmd.exe	WMIC.exe
PID 1580 wrote to memory of 796	1580	cmd.exe	WMIC.exe
PID 1580 wrote to memory of 2596	1580	cmd.exe	bcdedit.exe
PID 1580 wrote to memory of 2596	1580	cmd.exe	bcdedit.exe
PID 1580 wrote to memory of 3352	1580	cmd.exe	bcdedit.exe
PID 1580 wrote to memory of 3352	1580	cmd.exe	bcdedit.exe
PID 1580 wrote to memory of 1080	1580	cmd.exe	wbadmin.exe
PID 1580 wrote to memory of 1080	1580	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\lsess.exe
"C:\Users\Admin\AppData\Local\Temp\lsess.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528

C:\Users\Admin\AppData\Local\Temp\lsess.exe
"C:\Users\Admin\AppData\Local\Temp\lsess.exe"
2⤵
PID:3420

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:4436

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:4592

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4560

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:768

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:300

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:2544

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:1480

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:5084

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:5052

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4652

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2596

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1080

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3352

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2⤵
PID:628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Indicator Removal

3

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

4

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[68F7F56C-3413].[[email protected]].Elbie

Filesize
1.7MB

MD5
11fc7b197c2bd98d7fac6e3bb689d59b

SHA1
9dea70747572f2b26266e7dbec5c828c72e55a21

SHA256
44251a5e99f4d481a214617d0fbc90843f2d565449478a1eabdb7213b42e885e

SHA512
ec4a39d58d9be8778b09adb53c8b73d478d81392be25535d89034d83b2a12d066de28b4e941b663ce2a4ab12a078605b99db572d31a02f49c2e665a707bae3ed

Download Submit
C:\info.hta

Filesize
4KB

MD5
6c8103819c418bacdd32a278f1b45f51

SHA1
2708b0031ac0cf12a55d6b2eb4798fe1477682ab

SHA256
b1381aba1f42b9f7e43612d36eebbaeb921ce5da8438dbd0d11031001908ddee

SHA512
e2c9199c8f2f0a63a4e6edf98987689f3fa900594b756e5cada252a65559c18c6fc134b7e7acde70cdddf6e471edca192c18c7fc9b91fbf2658c41ba7ba51183

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads