Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 14:19
Static task
static1
1 signatures
windows7-x64
19 signatures
150 seconds
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
-
Size
56KB
-
MD5
ceb805e2e76cdedfc302a90689d29036
-
SHA1
a0fa891e036e932a7294042166564d56ec4310e4
-
SHA256
5e9902d0d003db7905864ca8a1cf4616d144f56c066156ff700a86d9fa77a09f
-
SHA512
2abffe6481017829e5a8702a1555eb8385dfc637fa97f8eda4473afb7bda29ea9f598fbe02db079cf1f97509991f8d467d667915c55f7617cabc1827833e4885
-
SSDEEP
1536:+NeRBl5PT/rx1mzwRMSTdLpJluznEFHWa0IQ:+QRrmzwR5JszEFHoIQ
Malware Config
Extracted
Path
C:\info.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>encrypted</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #EDEDED;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<div>ATTENTION!</div>
<div>ALL YOUR DATA ARE PROTECTED WITH RSA ALGORITHM</div>
</div>
<div class='bold'>Your security system was vulnerable, so all of your files are encrypted.</div>
<div class='bold'>If you want to restore them, contact us by email: <span class='mark'>[email protected]</span></div>
<div class='bold'>in the header of the letter indicate your encrypted ID <span class='mark'>38106F05-2930</span></div>
<div class='bold'>If you do not receive a response within 24 hours, please contact us by Telegram.org account: <span class='mark'><a href='https://t.me/Resp0nse'>@Resp0nse</a></span></div>
<div class='note alert'>
<div class='title'>BE CAREFUL AND DO NOT DAMAGE YOUR DATA:</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Do not trust anyone! Only we have keys to your files! Without this keys restore your data is impossible</li>
</ul>
</div>
<div class='note info'>
<div class='title'>WE GUARANTEE A FREE DECODE AS A PROOF OF OUR POSSIBILITIES:</div>
<ul>You can send us 2 files for free decryption. Size of file must be less than 1 Mb (non archived). We don`t decrypt for test DATABASE, XLS and other important files.</ul>
</div>
<div class='note info'>
<div class='title'>DO NOT ATTEMPT TO DECODE YOUR DATA YOURSELF, YOU ONLY DAMAGE THEM AND THEN YOU LOSE THEM FOREVER.</div>
<div class='title'>AFTER DECRYPTION YOUR SYSTEM WILL RETURN TO A FULLY NORMALLY AND OPERATIONAL CONDITION!</div>
</div>
</body>
</html>
Emails
class='mark'>[email protected]</span></div>
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2480 bcdedit.exe 2420 bcdedit.exe 2496 bcdedit.exe 2672 bcdedit.exe -
Renames multiple (310) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1860 wbadmin.exe 2124 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2796 netsh.exe 3020 netsh.exe -
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[email protected] [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini [email protected] File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[38106F05-2930].[[email protected]].eking [email protected] -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[email protected] = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\[email protected] = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" [email protected] -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGZQH3SP\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini [email protected] File opened for modification C:\Users\Public\Desktop\desktop.ini [email protected] File opened for modification C:\Users\Public\Libraries\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini [email protected] File opened for modification C:\Program Files\desktop.ini [email protected] File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini [email protected] File opened for modification C:\Users\Admin\Desktop\desktop.ini [email protected] File opened for modification C:\Users\Admin\Favorites\desktop.ini [email protected] File opened for modification C:\Users\Admin\Videos\desktop.ini [email protected] File opened for modification C:\Users\Public\Pictures\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PY5FLSJ8\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini [email protected] File opened for modification C:\Users\Admin\Music\desktop.ini [email protected] File opened for modification C:\Users\Admin\Searches\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini [email protected] File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini [email protected] File opened for modification C:\Users\Public\Documents\desktop.ini [email protected] File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J3XTYXPF\desktop.ini [email protected] File opened for modification C:\Users\Admin\Documents\desktop.ini [email protected] File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini [email protected] File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini [email protected] File opened for modification C:\Users\Public\Music\desktop.ini [email protected] File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini [email protected] File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini [email protected] File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3J2LRC5A\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYTS71XD\desktop.ini [email protected] File opened for modification C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini [email protected] File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini [email protected] File opened for modification C:\Users\Admin\Links\desktop.ini [email protected] File opened for modification C:\Users\Admin\Pictures\desktop.ini [email protected] File opened for modification C:\Users\Public\Recorded TV\desktop.ini [email protected] File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\108YEMNS\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini [email protected] File opened for modification C:\Users\Admin\Saved Games\desktop.ini [email protected] File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini [email protected] File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini [email protected] -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png [email protected] File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04206_.WMF [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.XML.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu [email protected] File created C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153299.WMF [email protected] File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css [email protected] File opened for modification C:\Program Files\7-Zip\Uninstall.exe [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files\Java\jre7\lib\security\blacklist [email protected] File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01080_.WMF [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Sofia [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml [email protected] File created C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts.css.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02413_.WMF.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195384.WMF [email protected] File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXT [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736G.GIF.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.REST.IDX_DLL.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png [email protected] File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1STAR.DLL.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099146.WMF [email protected] File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\settings.js [email protected] File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css [email protected] File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_preferencestyle.css.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099149.WMF [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar [email protected] File created C:\Program Files (x86)\desktop.ini.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00414_.WMF.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01074_.WMF.id[38106F05-2930].[[email protected]].eking [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru [email protected] File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01171_.WMF.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SBCGLOBAL.NET.XML.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PULLQUOTEBB.DPV [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.ICO.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp [email protected] File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF.id[38106F05-2930].[[email protected]].eking [email protected] File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2580 vssadmin.exe 2028 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2860 [email protected] Token: SeBackupPrivilege 2356 vssvc.exe Token: SeRestorePrivilege 2356 vssvc.exe Token: SeAuditPrivilege 2356 vssvc.exe Token: SeIncreaseQuotaPrivilege 2096 WMIC.exe Token: SeSecurityPrivilege 2096 WMIC.exe Token: SeTakeOwnershipPrivilege 2096 WMIC.exe Token: SeLoadDriverPrivilege 2096 WMIC.exe Token: SeSystemProfilePrivilege 2096 WMIC.exe Token: SeSystemtimePrivilege 2096 WMIC.exe Token: SeProfSingleProcessPrivilege 2096 WMIC.exe Token: SeIncBasePriorityPrivilege 2096 WMIC.exe Token: SeCreatePagefilePrivilege 2096 WMIC.exe Token: SeBackupPrivilege 2096 WMIC.exe Token: SeRestorePrivilege 2096 WMIC.exe Token: SeShutdownPrivilege 2096 WMIC.exe Token: SeDebugPrivilege 2096 WMIC.exe Token: SeSystemEnvironmentPrivilege 2096 WMIC.exe Token: SeRemoteShutdownPrivilege 2096 WMIC.exe Token: SeUndockPrivilege 2096 WMIC.exe Token: SeManageVolumePrivilege 2096 WMIC.exe Token: 33 2096 WMIC.exe Token: 34 2096 WMIC.exe Token: 35 2096 WMIC.exe Token: SeIncreaseQuotaPrivilege 2096 WMIC.exe Token: SeSecurityPrivilege 2096 WMIC.exe Token: SeTakeOwnershipPrivilege 2096 WMIC.exe Token: SeLoadDriverPrivilege 2096 WMIC.exe Token: SeSystemProfilePrivilege 2096 WMIC.exe Token: SeSystemtimePrivilege 2096 WMIC.exe Token: SeProfSingleProcessPrivilege 2096 WMIC.exe Token: SeIncBasePriorityPrivilege 2096 WMIC.exe Token: SeCreatePagefilePrivilege 2096 WMIC.exe Token: SeBackupPrivilege 2096 WMIC.exe Token: SeRestorePrivilege 2096 WMIC.exe Token: SeShutdownPrivilege 2096 WMIC.exe Token: SeDebugPrivilege 2096 WMIC.exe Token: SeSystemEnvironmentPrivilege 2096 WMIC.exe Token: SeRemoteShutdownPrivilege 2096 WMIC.exe Token: SeUndockPrivilege 2096 WMIC.exe Token: SeManageVolumePrivilege 2096 WMIC.exe Token: 33 2096 WMIC.exe Token: 34 2096 WMIC.exe Token: 35 2096 WMIC.exe Token: SeBackupPrivilege 2844 wbengine.exe Token: SeRestorePrivilege 2844 wbengine.exe Token: SeSecurityPrivilege 2844 wbengine.exe Token: SeIncreaseQuotaPrivilege 1628 WMIC.exe Token: SeSecurityPrivilege 1628 WMIC.exe Token: SeTakeOwnershipPrivilege 1628 WMIC.exe Token: SeLoadDriverPrivilege 1628 WMIC.exe Token: SeSystemProfilePrivilege 1628 WMIC.exe Token: SeSystemtimePrivilege 1628 WMIC.exe Token: SeProfSingleProcessPrivilege 1628 WMIC.exe Token: SeIncBasePriorityPrivilege 1628 WMIC.exe Token: SeCreatePagefilePrivilege 1628 WMIC.exe Token: SeBackupPrivilege 1628 WMIC.exe Token: SeRestorePrivilege 1628 WMIC.exe Token: SeShutdownPrivilege 1628 WMIC.exe Token: SeDebugPrivilege 1628 WMIC.exe Token: SeSystemEnvironmentPrivilege 1628 WMIC.exe Token: SeRemoteShutdownPrivilege 1628 WMIC.exe Token: SeUndockPrivilege 1628 WMIC.exe Token: SeManageVolumePrivilege 1628 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 1688 2860 [email protected] 29 PID 2860 wrote to memory of 1688 2860 [email protected] 29 PID 2860 wrote to memory of 1688 2860 [email protected] 29 PID 2860 wrote to memory of 1688 2860 [email protected] 29 PID 2860 wrote to memory of 2068 2860 [email protected] 30 PID 2860 wrote to memory of 2068 2860 [email protected] 30 PID 2860 wrote to memory of 2068 2860 [email protected] 30 PID 2860 wrote to memory of 2068 2860 [email protected] 30 PID 2068 wrote to memory of 2796 2068 cmd.exe 33 PID 2068 wrote to memory of 2796 2068 cmd.exe 33 PID 2068 wrote to memory of 2796 2068 cmd.exe 33 PID 1688 wrote to memory of 2580 1688 cmd.exe 34 PID 1688 wrote to memory of 2580 1688 cmd.exe 34 PID 1688 wrote to memory of 2580 1688 cmd.exe 34 PID 2068 wrote to memory of 3020 2068 cmd.exe 37 PID 2068 wrote to memory of 3020 2068 cmd.exe 37 PID 2068 wrote to memory of 3020 2068 cmd.exe 37 PID 1688 wrote to memory of 2096 1688 cmd.exe 38 PID 1688 wrote to memory of 2096 1688 cmd.exe 38 PID 1688 wrote to memory of 2096 1688 cmd.exe 38 PID 1688 wrote to memory of 2480 1688 cmd.exe 40 PID 1688 wrote to memory of 2480 1688 cmd.exe 40 PID 1688 wrote to memory of 2480 1688 cmd.exe 40 PID 1688 wrote to memory of 2420 1688 cmd.exe 41 PID 1688 wrote to memory of 2420 1688 cmd.exe 41 PID 1688 wrote to memory of 2420 1688 cmd.exe 41 PID 1688 wrote to memory of 1860 1688 cmd.exe 42 PID 1688 wrote to memory of 1860 1688 cmd.exe 42 PID 1688 wrote to memory of 1860 1688 cmd.exe 42 PID 2860 wrote to memory of 2592 2860 [email protected] 47 PID 2860 wrote to memory of 2592 2860 [email protected] 47 PID 2860 wrote to memory of 2592 2860 [email protected] 47 PID 2860 wrote to memory of 2592 2860 [email protected] 47 PID 2860 wrote to memory of 2784 2860 [email protected] 48 PID 2860 wrote to memory of 2784 2860 [email protected] 48 PID 2860 wrote to memory of 2784 2860 [email protected] 48 PID 2860 wrote to memory of 2784 2860 [email protected] 48 PID 2860 wrote to memory of 2600 2860 [email protected] 49 PID 2860 wrote to memory of 2600 2860 [email protected] 49 PID 2860 wrote to memory of 2600 2860 [email protected] 49 PID 2860 wrote to memory of 2600 2860 [email protected] 49 PID 2860 wrote to memory of 2876 2860 [email protected] 50 PID 2860 wrote to memory of 2876 2860 [email protected] 50 PID 2860 wrote to memory of 2876 2860 [email protected] 50 PID 2860 wrote to memory of 2876 2860 [email protected] 50 PID 2860 wrote to memory of 1804 2860 [email protected] 51 PID 2860 wrote to memory of 1804 2860 [email protected] 51 PID 2860 wrote to memory of 1804 2860 [email protected] 51 PID 2860 wrote to memory of 1804 2860 [email protected] 51 PID 1804 wrote to memory of 2028 1804 cmd.exe 53 PID 1804 wrote to memory of 2028 1804 cmd.exe 53 PID 1804 wrote to memory of 2028 1804 cmd.exe 53 PID 1804 wrote to memory of 1628 1804 cmd.exe 54 PID 1804 wrote to memory of 1628 1804 cmd.exe 54 PID 1804 wrote to memory of 1628 1804 cmd.exe 54 PID 1804 wrote to memory of 2496 1804 cmd.exe 56 PID 1804 wrote to memory of 2496 1804 cmd.exe 56 PID 1804 wrote to memory of 2496 1804 cmd.exe 56 PID 1804 wrote to memory of 2672 1804 cmd.exe 57 PID 1804 wrote to memory of 2672 1804 cmd.exe 57 PID 1804 wrote to memory of 2672 1804 cmd.exe 57 PID 1804 wrote to memory of 2124 1804 cmd.exe 58 PID 1804 wrote to memory of 2124 1804 cmd.exe 58 PID 1804 wrote to memory of 2124 1804 cmd.exe 58 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\[email protected]PID:1800
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2580
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2480
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2420
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1860
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:2796
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:3020
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2592
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2784
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2600
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"2⤵
- Modifies Internet Explorer settings
PID:2876
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2028
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2496
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2672
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2124
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2044
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:780
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5cb75a040dea84fbffa99dfe443c3dd62
SHA10d9ea17afd02907dfe2df1dadd269affceaf6d25
SHA256d93216141250aec19eecf054849d347740e4d9e7c4810a7757fa4a25af03f615
SHA512915227360240f669a26f187e752034e8a9a04ef758341b0de80612234cd92b2de8027da6b64c0f4bb97a052a5878fd23165ab82ffd93a9d454e4a391dac4cb12