phobos | ac55175193c138897d08bd1ed3f4d4f420e02b98f086304c75a9d900cf5aafde

General

Target

2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
Size

58KB
MD5

dc1950a269859406fc05fd6be6024fdf
SHA1

09eb03dc78d40523fcf34bca236f1e6359b32980
SHA256

2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87
SHA512

e4be1afa8ee252b62dba7a847fcb39847545e0086a351565f8c3790cca723e4733954155177b8778ecec87df3e8992b70032cae620a509a509aaec78f392e3e1
SSDEEP

1536:oNeRBl5PT/rx1mzwRMSTdLpJITsZiZAqB9DjylN5Al:oQRrmzwR5JtgjOUl

Score

10^/10

phobos evasion persistence ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2912 bcdedit.exe
3404 bcdedit.exe
Renames multiple (62) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3396 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

5320 netsh.exe
5876 netsh.exe

pid	process
2912	bcdedit.exe
3404	bcdedit.exe

pid	process
3396	wbadmin.exe

pid	process
5320	netsh.exe
5876	netsh.exe

Drops startup file 1 IoCs

Processes:

2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87 = "C:\\Users\\Admin\\AppData\\Local\\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87 = "C:\\Users\\Admin\\AppData\\Local\\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\desktop.ini	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

Drops file in Program Files directory 64 IoCs

Processes:

2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Tasks.Extensions.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\Microsoft.VisualBasic.Forms.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ServiceModel.Web.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\PresentationFramework.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\PresentationUI.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\PresentationCore.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.ReaderWriter.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\UIAutomationTypes.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsFormsIntegration.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Input.Manipulations.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\UIAutomationClientSideProviders.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ru\Microsoft.VisualBasic.Forms.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Primitives.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\ReachFramework.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\WindowsBase.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Forms.Design.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\WindowsBase.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\Microsoft.VisualBasic.Forms.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Controls.Ribbon.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Ping.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Formats.Asn1.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Windows.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\PresentationUI.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\WindowsBase.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\UIAutomationClientSideProviders.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-file-l2-1-0.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.VisualBasic.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Windows.Forms.Primitives.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\WindowsFormsIntegration.resources.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\System.Xaml.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\System.Windows.Forms.Primitives.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.Design.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\Microsoft.Win32.Registry.AccessControl.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.NETCore.App.runtimeconfig.json	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Windows.Controls.Ribbon.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\WindowsFormsIntegration.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\libEGL.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-heap-l1-1-0.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.XmlDocument.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.resources.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\System.Security.Cryptography.Pkcs.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.dll	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

5368 vssadmin.exe

pid	process
5368	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

pid	process
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exevssvc.exeWMIC.exewbengine.exe

description	pid	process
Token: SeDebugPrivilege	4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
Token: SeBackupPrivilege	5916	vssvc.exe
Token: SeRestorePrivilege	5916	vssvc.exe
Token: SeAuditPrivilege	5916	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: 36	1852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1852	WMIC.exe
Token: SeSecurityPrivilege	1852	WMIC.exe
Token: SeTakeOwnershipPrivilege	1852	WMIC.exe
Token: SeLoadDriverPrivilege	1852	WMIC.exe
Token: SeSystemProfilePrivilege	1852	WMIC.exe
Token: SeSystemtimePrivilege	1852	WMIC.exe
Token: SeProfSingleProcessPrivilege	1852	WMIC.exe
Token: SeIncBasePriorityPrivilege	1852	WMIC.exe
Token: SeCreatePagefilePrivilege	1852	WMIC.exe
Token: SeBackupPrivilege	1852	WMIC.exe
Token: SeRestorePrivilege	1852	WMIC.exe
Token: SeShutdownPrivilege	1852	WMIC.exe
Token: SeDebugPrivilege	1852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1852	WMIC.exe
Token: SeRemoteShutdownPrivilege	1852	WMIC.exe
Token: SeUndockPrivilege	1852	WMIC.exe
Token: SeManageVolumePrivilege	1852	WMIC.exe
Token: 33	1852	WMIC.exe
Token: 34	1852	WMIC.exe
Token: 35	1852	WMIC.exe
Token: 36	1852	WMIC.exe
Token: SeBackupPrivilege	5096	wbengine.exe
Token: SeRestorePrivilege	5096	wbengine.exe
Token: SeSecurityPrivilege	5096	wbengine.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.execmd.execmd.exe

description	pid	process	target process
PID 4620 wrote to memory of 3264	4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe	cmd.exe
PID 4620 wrote to memory of 3264	4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe	cmd.exe
PID 4620 wrote to memory of 5136	4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe	cmd.exe
PID 4620 wrote to memory of 5136	4620	2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe	cmd.exe
PID 3264 wrote to memory of 5320	3264	cmd.exe	netsh.exe
PID 3264 wrote to memory of 5320	3264	cmd.exe	netsh.exe
PID 5136 wrote to memory of 5368	5136	cmd.exe	vssadmin.exe
PID 5136 wrote to memory of 5368	5136	cmd.exe	vssadmin.exe
PID 3264 wrote to memory of 5876	3264	cmd.exe	netsh.exe
PID 3264 wrote to memory of 5876	3264	cmd.exe	netsh.exe
PID 5136 wrote to memory of 1852	5136	cmd.exe	WMIC.exe
PID 5136 wrote to memory of 1852	5136	cmd.exe	WMIC.exe
PID 5136 wrote to memory of 2912	5136	cmd.exe	bcdedit.exe
PID 5136 wrote to memory of 2912	5136	cmd.exe	bcdedit.exe
PID 5136 wrote to memory of 3404	5136	cmd.exe	bcdedit.exe
PID 5136 wrote to memory of 3404	5136	cmd.exe	bcdedit.exe
PID 5136 wrote to memory of 3396	5136	cmd.exe	wbadmin.exe
PID 5136 wrote to memory of 3396	5136	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
"C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe
"C:\Users\Admin\AppData\Local\Temp\2276fe3cc324c9e053eea9839874963a27f312dcf01b97d298e5d326a7c12b87.exe"
2⤵
PID:5280

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:5320

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:5876

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5136

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5368

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2912

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3404

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5916

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:2592

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

3

T1070

File Deletion

3

T1070.004

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[C80A1B75-3536].[vinsulan@tutamail.com].dzen
Filesize
3.2MB

MD5
f3600bbed2bc7dfd58bddc6f42067220

SHA1
eb9ab47f1ca1806c8d5415bc8401e7390e9c2af7

SHA256
f775e9ff604ace8a6c9ba9eacdb51658aa8badefd4f74367e631619e2bc12061

SHA512
39fb52dbb7dab43ec37bea2c0ad8aa25734b8d03bd1b8d4ddc3e1c64c451503a92cbdeec2d6f70d31586c5ed6c6b9644b05c1f1920f3eb36b8ef2f1324e0a68a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads