Malware Analysis Report

2024-09-11 01:08

Sample ID 240308-hj77nshg78
Target fast.exe
SHA256 3d47651f5e95c7e3a815a2d5f24eb3144824cb58d2ee6ba8b96d96973d1a6cba
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d47651f5e95c7e3a815a2d5f24eb3144824cb58d2ee6ba8b96d96973d1a6cba

Threat Level: Known bad

The file fast.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Renames multiple (319) files with added filename extension

Deletes shadow copies

Renames multiple (439) files with added filename extension

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Deletes backup catalog

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-08 06:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-08 06:47

Reported

2024-03-08 06:51

Platform

win7-20240221-en

Max time kernel

213s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (319) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J171AZTC\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J66V1Z9V\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NOLTSD35\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LEIE6HVY\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IXEVUZVE\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-406356229-2805545415-1236085040-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunmscapi.dll.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_pt-PT.dll.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214948.WMF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299763.WMF.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115876.GIF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Linq.Resources.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_F_COL.HXK C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.dub.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\about.html C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Midway C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_windy.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00468_.WMF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Mozilla Firefox\crashreporter.exe.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Gradient.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPISHELLR.DLL.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Solstice.eftx C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\FONTSCHM.INI.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR15F.GIF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Swift_Current.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188587.WMF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\PMAILEXT.ECF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME32.CSS.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293236.WMF.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXC C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceqp35.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WORDREP.DPV C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid.gif.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Oslo.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\default.vlt C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01063_.WMF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CONTACTS.ICO.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api.id[93390A5B-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR38F.GIF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2520 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2520 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2568 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2568 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2568 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2568 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2568 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2568 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2520 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2520 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2520 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2520 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2520 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2520 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2520 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2520 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2520 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2520 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2520 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2520 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\SysWOW64\mshta.exe
PID 1908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 1908 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2536 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2536 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2536 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2536 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2536 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2536 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2536 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2536 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2536 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2536 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\fast.exe

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

C:\Users\Admin\AppData\Local\Temp\fast.exe

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[93390A5B-2815].[[email protected]].faust

MD5 a266ab1904e6fa10a4d56d7b6e0df278
SHA1 a4f05d5f2490aad1e0706ea4d0d53dcbb5279a2d
SHA256 48ad13c2d6fb6a3d71b078cff0b377b8dbb60798d392ba669a9ba87018905059
SHA512 260b0f0049407273c7edc6bce874ddad1756185fc09f441f22c316b3d5de14d020e698e5acb15df6cb03dcd852aef9f83581a443aa4e3372c2a70bafccfbc9a5

C:\info.hta

MD5 957b6ea48aef663a0366bb4377b8c30d
SHA1 9f3bd5092dc6422b0803b19047e744c20b6e044e
SHA256 a5c57cd3efe3d812cdb8615e6ffc9b25119c8459a3e0840562f9e3ba40c5af98
SHA512 8e5ba53702f4594f608cc6a8c11c34872306222177b3d2f666bfee6df8b494228f2c3cc6f21cbab77aeaddbf47e1ff2af873598d1bf4c13e7457aa6e58a74667

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-08 06:47

Reported

2024-03-08 06:50

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (439) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-256_contrast-white.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small2x.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FBIBLIO.DLL C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\README.md C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\ui-strings.js.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Requests.dll.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\ECHO.INF C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\complete.contrast-black.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.RunTime.Serialization.Resources.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.Win32.Primitives.dll.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-250.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateCCFiles_280x192.svg C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\review_poster.jpg C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\ui-strings.js.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Private.DataContractSerialization.dll.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinEditors.v8.1.dll.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-48_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework-SystemCore.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho_64.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySite.ico C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\46.jpg C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javafx_font.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.Algorithms.dll C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\PREVIEW.GIF.id[7AEA40DE-2815].[[email protected]].faust C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 488 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 488 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 488 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 488 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\fast.exe C:\Windows\system32\cmd.exe
PID 2164 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2164 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4668 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4668 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4668 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4668 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4668 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4668 wrote to memory of 432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4668 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4668 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4668 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4668 wrote to memory of 3480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2164 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2164 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\fast.exe

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

C:\Users\Admin\AppData\Local\Temp\fast.exe

"C:\Users\Admin\AppData\Local\Temp\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[7AEA40DE-2815].[[email protected]].faust

MD5 c1077b722997d35146dbfb806041e12c
SHA1 4e48e4cb6129a610f9b7074542ad11c3ddd685fb
SHA256 4efdb921f39804ead9d1bd77ce579913564115dc65fecdac3c683b9cc579d1e6
SHA512 d20412392b3bf8c3277ff6538e9e55800c80cd95ed5a8d535ea66c9754ca54ce58f87ae3d3be8fc88d03d4c471349c81c952efe6a563597da9cacd823c77e7ea