Malware Analysis Report

2024-09-11 01:08

Sample ID 240226-rz6s8age24
Target ST.exe
SHA256 e67b8937b56c354ff06e857361f8860860f913a63f79427cf37db741ffcb02a1
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e67b8937b56c354ff06e857361f8860860f913a63f79427cf37db741ffcb02a1

Threat Level: Known bad

The file ST.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (213) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-26 14:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 14:38

Reported

2024-02-26 14:41

Platform

win11-20240221-en

Max time kernel

158s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ST.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (213) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ST.exe C:\Users\Admin\AppData\Local\Temp\ST.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ST = "C:\\Users\\Admin\\AppData\\Local\\ST.exe" C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\Software\Microsoft\Windows\CurrentVersion\Run\ST = "C:\\Users\\Admin\\AppData\\Local\\ST.exe" C:\Users\Admin\AppData\Local\Temp\ST.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-160263616-143223877-1356318919-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-160263616-143223877-1356318919-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\ST.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Extensions.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\Microsoft.VisualBasic.Forms.resources.dll.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\PresentationFramework.resources.dll.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\PresentationCore.resources.dll.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxbgt.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Extensions.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jli.dll.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.Xml.Linq.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\meta-index.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.Royale.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwnumbered.dotx.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.Concurrent.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ServiceProcess.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXT.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Controls.Ribbon.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-phn.xrm-ms.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\WindowsBase.resources.dll.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\WindowsFormsIntegration.resources.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.id[85B5A3E2-2451].[[email protected]].calix C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\ST.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ST.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\ST.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\ST.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\ST.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\ST.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2736 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1256 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1256 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2736 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2736 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1256 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1256 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1256 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1256 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1256 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1256 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1256 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1256 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ST.exe

"C:\Users\Admin\AppData\Local\Temp\ST.exe"

C:\Users\Admin\AppData\Local\Temp\ST.exe

"C:\Users\Admin\AppData\Local\Temp\ST.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 e5f729728ef63949ee08cdb344e199a0
SHA1 39869fb44914a7aa172a48342d39dbdfbda4d65c
SHA256 ce89fdff60df750b5f78ae42df37b822cd79add907d2c2e604fd906bb5f85bd2
SHA512 5fe6ac63731b9ad38f2b23c3e9ec7a89f8624a24056cb251ce7e08d18687cdd23f17818892b4e1234121001689da2864a61fb239b1e40d0252554c3048f0d9a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md

MD5 ddc4cb14453391bcb5f4d645b2916a6c
SHA1 c4738d174c90c285e17bf51a9218256f45f96ea7
SHA256 0c19ba9eeecab3cbbdf38da08c3fa0266f10ce8166e056715931efc543335eeb
SHA512 34a32b92ffb2945608439653b5ecacba49fd3312ba5487ba14796c75b07655f0d8f735453dac117d46d204d3f810126f8a189f82c015fa8bb6ea37d9b8e0e30f

C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif

MD5 d13b5ffdeb538f15ee1d30f2788601d5
SHA1 8dc4da8e4efca07472b08b618bc059dcbfd03efa
SHA256 f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876
SHA512 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 c5b7a97bda04c48435a145f2d1f9bb42
SHA1 bd94219a79987af3e4d4ce45b07edc2230aaf655
SHA256 07ec9bf950252d0254d4d778698c2e4173f36dbc3f57f51f34d1b85a07c2eab0
SHA512 7eb1a26cf8ef725ba6d1934ca4802f70cc22539017334c1d7a6873afeea6236bcd643b52630f7fa9d8a9e692f718ba42cc704ed5f8df17757028be63c3efad80

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

MD5 809457c05fe696f5d34ac5ac8768cdd4
SHA1 a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9
SHA256 1b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be
SHA512 cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK

MD5 301657e2669b4c76979a15f801cc2adf
SHA1 f7430efc590e79b847ab97b6e429cd07ef886726
SHA256 802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b
SHA512 e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK

MD5 b9205d5c0a413e022f6c36d4bdfa0750
SHA1 f16acd929b52b77b7dad02dbceff25992f4ba95e
SHA256 951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a
SHA512 0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html

MD5 3be680b6a8edfdeed37bf5068a37dccd
SHA1 75bc261fc558634731e683e431e4a31c5b463107
SHA256 1777e4f7955cb5900c97d92081efc4b11704ee3b265717a7d7152972b49a36c4
SHA512 a3c8a91689105a14c49b020826944d32540353c56fb9e9a011639ff5107d25e1d3466f0fc487ef953c6bbf0c006abc5204e3a8f0093e1c633013a547f8ecab21