Malware Analysis Report

2024-09-11 01:05

Sample ID 240321-2fxrbaeb6y
Target AntiRecuvaDB.exe
SHA256 09cb34eeb242e0664d105e6e040ea247072297be4df66a5261eef59e5be613fa
Tags
phobos evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09cb34eeb242e0664d105e6e040ea247072297be4df66a5261eef59e5be613fa

Threat Level: Known bad

The file AntiRecuvaDB.exe was found to be: Known bad.

Malicious Activity Summary

phobos evasion persistence ransomware spyware stealer

Phobos

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (68) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-03-21 22:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 22:32

Reported

2024-03-21 22:34

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (68) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\AntiRecuvaDB.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiRecuvaDB = "C:\\Users\\Admin\\AppData\\Local\\AntiRecuvaDB.exe" C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiRecuvaDB = "C:\\Users\\Admin\\AppData\\Local\\AntiRecuvaDB.exe" C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\ConfirmOut.xltm C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Khartoum C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Chagos.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticattribute.exsd.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\blacklist.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\whitemenu.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\rtstreamsource.ax C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\co.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.id[71E58B7A-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2612 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2612 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2064 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2064 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2064 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2064 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2064 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2064 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2612 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2612 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2612 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2612 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 1028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 1028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 1028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2612 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2612 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2612 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[71E58B7A-3533].[[email protected]].gotmydatafast

MD5 1f639efea5f54fe3db5bf4dbd970f940
SHA1 c94e7a14fee6e03bb6af85bac495ef76f79fce2b
SHA256 5338313e213f8a4bc2376679dd79615e8ef0c74bbf140b161a4c7d00ea77cc4e
SHA512 05cc978e18b5550499d52260dfd7615781fdd666dffcfae59fa3a8a8531d80d1a52c1fdb5efcf0ff0d8e5d133f07bd8454737b5d10c144edae4cfa781f48c71e

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos

MD5 db10fd32bfe67918ed177579d4be9d76
SHA1 44ecf4c5a6fbbd1ace84d0efe91f13d6ba6bb738
SHA256 c936ab1da7ef4314182c8edabaeae90f8d51ed45bc48848d35670adf5b470d31
SHA512 bb574ef876e7529d4f3c4c52cc54aa1814f2c02030b83a5bd7223d4b31c992668c00e4a7e68d4f1caaa6493db4ac84eb649fe59e98feceb9828119cac1e74b05

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao

MD5 2b62a30906a2b8bf3b68abd2ef9d105b
SHA1 9898d25a214dba04ebd7e3030ac9e2e90ea7a369
SHA256 075561eff2cd3ad586776fa904f0040282c5f6a261f6a8fd6a0a524d14cd2d2c
SHA512 6db5955477a9bb5386c1af03df526496f9e64533e6c3071c8e5c44062541e91e9bb39096da947a91bdfa5e7de53c1e047dcf427c1dfde94554d7458f8f0862ea

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil

MD5 1ef5e829303a139ce967440e0cdca10c
SHA1 f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b
SHA256 98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7
SHA512 19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana

MD5 71c7e24524aea1022361143d0a876c84
SHA1 b141efff466f27664599dd2aa91f0b7c50736f1d
SHA256 07a692cc9bc920ef8caed75ba9af60ad2d6b144c83bfde3b91a77b5bcce277a3
SHA512 4cd51849de464e0139ce77de3003af1ab1b6c639862fb7d5e8362f33ef0a9828f8af9ebd6d4b4ce9dc5a67084bc5c1106fd3b3327fc428e25c75b780e98d37ff

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi

MD5 d13b5ffdeb538f15ee1d30f2788601d5
SHA1 8dc4da8e4efca07472b08b618bc059dcbfd03efa
SHA256 f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876
SHA512 58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk

MD5 985f599bb4b81c01d5b5d16ad241d5ed
SHA1 a90b24a33383273378fc6429b95fdf62c4c2e5d5
SHA256 36bce57f9ab26334f370d700cd0a853618cf2051afbe561ba09b0aae5dc371a4
SHA512 fd8f3414083a7b4c75e9a5dc043f38db062971dcac022194c274d5f5816867961736dbf0e17b7da19ca9c835f2e11864e0f305895e8c76eee3d0c5ecdf3e0239

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide

MD5 0a876dfacfdabc170818581a2e6e6d54
SHA1 376fd52e52867f959cb2076fbbc4d214778a7fc0
SHA256 e28b98a94e0077340a3aece749f2d400c3f06890cec9447f4c2567bd1e7a5839
SHA512 766fb737e92fbd233563887cf8335c9aa4e96d3a970c28b7ddebbd21ca764dc85ee4ebd805538f697ad8b2d59ed0c53bd46d9fb7077d54c136f9c22bedae9cba

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10

MD5 65435a5d117aa6b052a5f737d9946a7b
SHA1 b8b17ad613463c3c9a1fe928819fb30cb853e6b1
SHA256 ea49aa9f6f6cf2d53d454e628ba5a339cc000230c4651655d0237711d747f50b
SHA512 4f85061ef6c66bf0e030af017af8c7154ed3f7953594ae2cf6f663e8b95ba978a54c171b01f212880e2711c2fd745a12b959ed27e7f6b1847273f70a4010ccde

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville

MD5 eeb20c9bc165677800b6dc7621a50cc9
SHA1 def5026103297fa44a2185104f2ee400cb93329c
SHA256 6a3a9301bb8dd782bb5c170bedfa73e9e7c60235e6e1840f14bd14b812127ef2
SHA512 d4e72f43c75de83deb0526233423726503354d7112618b44c94e695d159a02b6da4823a2c9a2be8cf71d2c7e42108d0db7edbb54a640579f853e6d110e7599ed

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury

MD5 335a7c8e767a2dd0ecf3460eaabb0bbd
SHA1 111ffd83edcb095d251067456a3a60b754b4c717
SHA256 a0bf83b3948dce6afe987c170a5cd711a3d65fcd5c70e3b7bbfeeb1578544609
SHA512 bf0772423bdc11a4029439acef8922c6c541519ce98bce97681d1a1da32bbf3a73f506138d494d9cc860b6afb3584094565db7683f6b2a2cb30e3e94430d1933

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT

MD5 b8d5d64c3ef0b30644898a80682f5121
SHA1 bbc7b3902250307a2cdbb314abe98e34795032be
SHA256 2f329134686a44ee0362fd0c8b5d071e38bade32a5389e31282f64f565e76759
SHA512 f1f90923769648e585f3f38724d203e4bf6a10cab7c6708f7791a83dd6348b3b9948eaf481baa7bef31ff63d75b6fe1ec00cb888dc1acc8b65b90d96bff39638

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

MD5 ab9d8ef2ffa9145d6c325cefa41d5d4e
SHA1 0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab
SHA256 65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785
SHA512 904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

MD5 b85026155b964b6f3a883c9a8b62dfe3
SHA1 5c38290813cd155c68773c19b0dd5371b7b1c337
SHA256 57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f
SHA512 c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 22:32

Reported

2024-03-21 22:34

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\AntiRecuvaDB.exe C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiRecuvaDB = "C:\\Users\\Admin\\AppData\\Local\\AntiRecuvaDB.exe" C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiRecuvaDB = "C:\\Users\\Admin\\AppData\\Local\\AntiRecuvaDB.exe" C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Text.RegularExpressions.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Primitives.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.InteropServices.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.Win32.Registry.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.NameResolution.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.Primitives.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Metadata.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.Dataflow.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-processthreads-l1-1-1.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\WindowsFormsIntegration.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-errorhandling-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationNative_cor3.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-rtlsupport-l1-1-0.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Drawing.Primitives.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.VisualBasic.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Serialization.Formatters.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\PresentationFramework.resources.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.ServicePoint.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Json.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\PresentationCore.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\UIAutomationTypes.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Sockets.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\PresentationUI.resources.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Overlapped.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Collections.Immutable.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Windows.Input.Manipulations.resources.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemDrawing.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Drawing.Design.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\UIAutomationProvider.resources.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-sysinfo-l1-1-0.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\hostpolicy.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Requests.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-processthreads-l1-1-1.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.ServiceProcess.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XPath.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tt.txt C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.NetworkInformation.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Thread.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Collections.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-utility-l1-1-0.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Buffers.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\Microsoft.VisualBasic.Forms.resources.dll C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\System.Windows.Forms.resources.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.id[7368058D-3533].[[email protected]].gotmydatafast C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1428 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1428 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 1428 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3132 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4860 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4860 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3132 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3132 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4860 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4860 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4860 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4860 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4860 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4860 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4860 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4860 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe

"C:\Users\Admin\AppData\Local\Temp\AntiRecuvaDB.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 128.230.140.95.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Program Files\7-Zip\7-zip32.dll

MD5 e5f729728ef63949ee08cdb344e199a0
SHA1 39869fb44914a7aa172a48342d39dbdfbda4d65c
SHA256 ce89fdff60df750b5f78ae42df37b822cd79add907d2c2e604fd906bb5f85bd2
SHA512 5fe6ac63731b9ad38f2b23c3e9ec7a89f8624a24056cb251ce7e08d18687cdd23f17818892b4e1234121001689da2864a61fb239b1e40d0252554c3048f0d9a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

MD5 1681ffc6e046c7af98c9e6c232a3fe0a
SHA1 d3399b7262fb56cb9ed053d68db9291c410839c4
SHA256 9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA512 11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5