neshta | b1968b4be3f82fc26b1e2decdcb8f532915aed847603aeeaf254722bdd411d26

Resubmissions

16-03-2024 17:17

240316-vtswysfd2y 10

16-03-2024 15:31

240316-syg9xafg39 10

15-03-2024 08:15

240315-j5rmgsbg5z 10

Analysis

max time kernel
624s
max time network
630s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
Size

97KB
MD5

8881f3e50b9f1bcb315769e24b76a3cc
SHA1

f6f21445663a197b8f88a7a2fdbc4cbe2bf3be51
SHA256

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1
SHA512

dde4d848499dd0eb92982358ad2990a82c22e2c1738a0387ca03dfadfd602b9fe429570815acf648aebc11e5337b1bc44b77e58f4aabd2f9ca5be88f6a34111b
SSDEEP

1536:JxqjQ+P04wsmJCf5HqwoOFcqZNeRBl5PT/rx1mzwRMSTdLpJ1M:sr85CfxbtcSQRrmzwR5JS

Score

10^/10

neshta phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta payload 54 IoCs

Processes:

resource	yara_rule
behavioral2/memory/232-5-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
behavioral2/memory/232-27-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\odt\office2016setup.exe	family_neshta
behavioral2/memory/232-76-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-78-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-119-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-127-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-154-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-207-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-213-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Users\Admin\AppData\Local\0C0C9A~1.EXE	family_neshta
behavioral2/memory/232-368-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-389-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-393-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-456-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-463-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-972-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-974-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-975-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-978-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-988-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-993-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1000-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1005-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1009-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1013-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1019-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1031-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1042-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1053-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1056-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1064-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1076-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1079-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1084-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1089-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1098-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1105-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1126-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1135-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1136-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1144-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1149-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1159-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1167-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1173-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1332-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1337-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1353-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1412-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-1803-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-2304-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/232-2497-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4944 bcdedit.exe
4872 bcdedit.exe
Renames multiple (122) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3980 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1784 netsh.exe
2876 netsh.exe

pid	process
4944	bcdedit.exe
4872	bcdedit.exe

pid	process
3980	wbadmin.exe

pid	process
1784	netsh.exe
2876	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

Drops startup file 1 IoCs

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

Executes dropped EXE 2 IoCs

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

pid	process
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4252	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1 = "C:\\Users\\Admin\\AppData\\Local\\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe"	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1 = "C:\\Users\\Admin\\AppData\\Local\\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe"	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-609813121-2907144057-1731107329-1000\desktop.ini	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\desktop.ini	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

Drops file in Program Files directory 64 IoCs

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Controls.Ribbon.resources.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\mlib_image.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Controls.Ribbon.resources.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\PresentationFramework.resources.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lt.pak.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-handle-l1-1-0.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.CodeDom.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ppd.xrm-ms	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationUI.resources.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.Win32.SystemEvents.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Drawing.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Emit.Lightweight.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.FileSystem.AccessControl.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\System.Windows.Forms.Design.resources.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\UIAutomationClientSideProviders.resources.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\PresentationFramework.AeroLite.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\LICENSE	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-phn.xrm-ms.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\PresentationUI.resources.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13185~1.17\MICROS~3.EXE	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Presentation.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\PresentationFramework.resources.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Diagnostics.EventLog.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Java\jre-1.8\bin\deploy.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\UIAutomationClient.resources.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-rtlsupport-l1-1-0.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Requests.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Forms.Design.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Forms.Design.dll.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\j2gss.dll	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Microsoft Office\AppXManifest.xml.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.id[0F76C2C3-3423].[MyFile@waifu.club].faust	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

Drops file in Windows directory 4 IoCs

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exewbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

884 vssadmin.exe

pid	process
884	vssadmin.exe

Modifies registry class 1 IoCs

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

pid	process
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
Token: SeBackupPrivilege	4888	vssvc.exe
Token: SeRestorePrivilege	4888	vssvc.exe
Token: SeAuditPrivilege	4888	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4708	WMIC.exe
Token: SeSecurityPrivilege	4708	WMIC.exe
Token: SeTakeOwnershipPrivilege	4708	WMIC.exe
Token: SeLoadDriverPrivilege	4708	WMIC.exe
Token: SeSystemProfilePrivilege	4708	WMIC.exe
Token: SeSystemtimePrivilege	4708	WMIC.exe
Token: SeProfSingleProcessPrivilege	4708	WMIC.exe
Token: SeIncBasePriorityPrivilege	4708	WMIC.exe
Token: SeCreatePagefilePrivilege	4708	WMIC.exe
Token: SeBackupPrivilege	4708	WMIC.exe
Token: SeRestorePrivilege	4708	WMIC.exe
Token: SeShutdownPrivilege	4708	WMIC.exe
Token: SeDebugPrivilege	4708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4708	WMIC.exe
Token: SeRemoteShutdownPrivilege	4708	WMIC.exe
Token: SeUndockPrivilege	4708	WMIC.exe
Token: SeManageVolumePrivilege	4708	WMIC.exe
Token: 33	4708	WMIC.exe
Token: 34	4708	WMIC.exe
Token: 35	4708	WMIC.exe
Token: 36	4708	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4708	WMIC.exe
Token: SeSecurityPrivilege	4708	WMIC.exe
Token: SeTakeOwnershipPrivilege	4708	WMIC.exe
Token: SeLoadDriverPrivilege	4708	WMIC.exe
Token: SeSystemProfilePrivilege	4708	WMIC.exe
Token: SeSystemtimePrivilege	4708	WMIC.exe
Token: SeProfSingleProcessPrivilege	4708	WMIC.exe
Token: SeIncBasePriorityPrivilege	4708	WMIC.exe
Token: SeCreatePagefilePrivilege	4708	WMIC.exe
Token: SeBackupPrivilege	4708	WMIC.exe
Token: SeRestorePrivilege	4708	WMIC.exe
Token: SeShutdownPrivilege	4708	WMIC.exe
Token: SeDebugPrivilege	4708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4708	WMIC.exe
Token: SeRemoteShutdownPrivilege	4708	WMIC.exe
Token: SeUndockPrivilege	4708	WMIC.exe
Token: SeManageVolumePrivilege	4708	WMIC.exe
Token: 33	4708	WMIC.exe
Token: 34	4708	WMIC.exe
Token: 35	4708	WMIC.exe
Token: 36	4708	WMIC.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.execmd.execmd.exe

description	pid	process	target process
PID 232 wrote to memory of 4468	232	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
PID 232 wrote to memory of 4468	232	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
PID 232 wrote to memory of 4468	232	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
PID 4468 wrote to memory of 2244	4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe	cmd.exe
PID 4468 wrote to memory of 2244	4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe	cmd.exe
PID 4468 wrote to memory of 4304	4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe	cmd.exe
PID 4468 wrote to memory of 4304	4468	0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe	cmd.exe
PID 2244 wrote to memory of 1784	2244	cmd.exe	netsh.exe
PID 2244 wrote to memory of 1784	2244	cmd.exe	netsh.exe
PID 4304 wrote to memory of 884	4304	cmd.exe	vssadmin.exe
PID 4304 wrote to memory of 884	4304	cmd.exe	vssadmin.exe
PID 2244 wrote to memory of 2876	2244	cmd.exe	netsh.exe
PID 2244 wrote to memory of 2876	2244	cmd.exe	netsh.exe
PID 4304 wrote to memory of 4708	4304	cmd.exe	WMIC.exe
PID 4304 wrote to memory of 4708	4304	cmd.exe	WMIC.exe
PID 4304 wrote to memory of 4944	4304	cmd.exe	bcdedit.exe
PID 4304 wrote to memory of 4944	4304	cmd.exe	bcdedit.exe
PID 4304 wrote to memory of 4872	4304	cmd.exe	bcdedit.exe
PID 4304 wrote to memory of 4872	4304	cmd.exe	bcdedit.exe
PID 4304 wrote to memory of 3980	4304	cmd.exe	wbadmin.exe
PID 4304 wrote to memory of 3980	4304	cmd.exe	wbadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
"C:\Users\Admin\AppData\Local\Temp\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe"
1⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232

C:\Users\Admin\AppData\Local\Temp\3582-490\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\3582-490\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe"
3⤵
- Executes dropped EXE
PID:4252

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
4⤵
- Modifies Windows Firewall
PID:1784

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
4⤵
- Modifies Windows Firewall
PID:2876

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:884

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:4944

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:4872

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:3980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
442KB

MD5
7f5189b58f3c1d910ac26a4565b1ab9f

SHA1
b21a0e8640fb1cb190e4b9d87c3dfe92f330b54f

SHA256
188614f4e2c381f1a4dec150d865d6d232a7a7bf19c53606c46b675636c9c583

SHA512
9f1e25ec135fcf4f1db89165442b75200ef4022dce5d1d40110419f8ef0ac73510ee796c8152c22e3696d4f478084a7fbbd666e4405eec671685b9d363adbac3

Download Submit
C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\StartUp\0C0C9A~1.EXE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\0C0C9A~1.EXE
Filesize
97KB

MD5
8881f3e50b9f1bcb315769e24b76a3cc

SHA1
f6f21445663a197b8f88a7a2fdbc4cbe2bf3be51

SHA256
0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1

SHA512
dde4d848499dd0eb92982358ad2990a82c22e2c1738a0387ca03dfadfd602b9fe429570815acf648aebc11e5337b1bc44b77e58f4aabd2f9ca5be88f6a34111b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.id[0F76C2C3-3423].[MyFile@waifu.club].faust
Filesize
3.8MB

MD5
5013c8441a8f0e0b87f8eebc315c054f

SHA1
7abd7f29bb88ada09a4fb679f5eca0979bc48ca7

SHA256
085bac5b744f52fbe3ba1f88a1391d3ca37430fad6c94a1526aa09f4c33e4438

SHA512
39d46daa1d49a3aac2563846d3f9cf3bd6132ab0ad6f7c35b1ebed7fd4ac36942775e8f22e6793e6c4da85e00b2b9b907a7490e206d5fe3bcdacb08d1aab2b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
Filesize
57KB

MD5
4a54a5620dbb4242dd30c22e3f87d284

SHA1
7fbe4c39ae19dc31f401ec87b3f786b308b0a99e

SHA256
aeae9f524a881e67bb62cf15fc67dc36a5a751f91a849a1d546f618104a33191

SHA512
47a97181c6914cf20f3e1ca8816e4ae49fa186915bc660e20fd6396524a5c1c96e8f6c746be6a050f61d735421de2e77cd2c1feaf8a8f25e258cff60df5df32e

Download Submit
C:\odt\office2016setup.exe
Filesize
3.7MB

MD5
a230bbd39417ccc2174014ea6d09bdb9

SHA1
74907f988290c67e20119b908de12829af6f79c1

SHA256
7360de8d2abcd8830bc04a0c18e2bc57969202d0b55ce562cddabdeba8e38a32

SHA512
91b4863858883a1d113fd52e8eb21f373fbe2d9a0ee567a86e88007b65e558981b4a2a160ab31dc2dd48824993e51387372d1f50178a294b8897845535228ae3

Download Submit
memory/232-1009-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-154-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-78-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-127-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1031-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-207-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-213-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-368-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-389-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-393-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-456-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-463-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-972-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-974-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-975-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-978-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1019-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-993-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1000-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1005-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-5-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1013-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-988-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-27-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-2304-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1053-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1056-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1064-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1076-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1079-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1084-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1089-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1098-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1105-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1126-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1144-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1149-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1159-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1167-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1173-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1332-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1353-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1412-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1803-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-1042-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/232-2497-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download