Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 06:16
Static task
static1
Behavioral task
behavioral1
Sample
Fast.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Fast.exe
Resource
win10v2004-20240508-en
General
-
Target
Fast.exe
-
Size
66KB
-
MD5
87d6d2488b1260e70f4042bf1f292529
-
SHA1
161f9a79f8197c9b5de1beb7bd4d425d5c23b45b
-
SHA256
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f
-
SHA512
a9d3930de1ff5849e61d1807c6de4b063790dc03f7e4f3f2101cbddde55002ffcc85d2ff433b753a5936403feedbc93c0f3658ffb5e8051d00ba58641e6afda7
-
SSDEEP
1536:/NeRBl5PT/rx1mzwRMSTdLpJy/jIlkugRGVy/SR1qo+tEgfNni:/QRrmzwR5JysFV12i
Malware Config
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2424 bcdedit.exe 2848 bcdedit.exe 2816 bcdedit.exe 1824 bcdedit.exe -
Renames multiple (322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 1680 wbadmin.exe 2820 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2652 netsh.exe 304 netsh.exe -
Drops startup file 3 IoCs
Processes:
Fast.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\Fast.exe Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Fast.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[2BF70C13-3483].[[email protected]].8base Fast.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Fast.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fast = "C:\\Users\\Admin\\AppData\\Local\\Fast.exe" Fast.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fast = "C:\\Users\\Admin\\AppData\\Local\\Fast.exe" Fast.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
Fast.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini Fast.exe File opened for modification C:\Users\Admin\Music\desktop.ini Fast.exe File opened for modification C:\Users\Public\Music\desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Fast.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EQ2PZD61\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MG62UP6H\desktop.ini Fast.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Fast.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Fast.exe File opened for modification C:\Program Files\desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Fast.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini Fast.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini Fast.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini Fast.exe File opened for modification C:\Users\Public\Videos\desktop.ini Fast.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini Fast.exe File opened for modification C:\Program Files (x86)\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UZVS19T\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Fast.exe File opened for modification C:\Users\Admin\Links\desktop.ini Fast.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Fast.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Fast.exe File opened for modification C:\Users\Public\desktop.ini Fast.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Fast.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Fast.exe File opened for modification C:\Users\Public\Documents\desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HUNEJ1HU\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini Fast.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Fast.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Fast.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JWM3U1DD\desktop.ini Fast.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BB4W7M7Z\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini Fast.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Fast.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Fast.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2RM92H5V\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini Fast.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Fast.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Fast.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Fast.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Fast.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Fast.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Fast.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini Fast.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Fast.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\msdaorar.dll.mui Fast.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files\Java\jre7\lib\zi\Europe\Belgrade.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL082.XML Fast.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar Fast.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml Fast.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE Fast.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ir.idl Fast.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_F_COL.HXK Fast.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.NZ.XML.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ContactPicker.dll Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\TWCUTLIN.DLL Fast.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png Fast.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml Fast.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator_3.3.300.v20140518-1928.jar Fast.exe File opened for modification C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp Fast.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF Fast.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21328_.GIF.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SUMER_01.MID.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT Fast.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-ui.jar Fast.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml Fast.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SUMER_01.MID Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.dub Fast.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF Fast.exe File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL096.XML Fast.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar Fast.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLJRNL.FAE Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Composite.thmx Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_decreaseindent.gif Fast.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png Fast.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Macau Fast.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP Fast.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174315.WMF Fast.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG Fast.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js Fast.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.id[2BF70C13-3483].[[email protected]].8base Fast.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar.id[2BF70C13-3483].[[email protected]].8base Fast.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL Fast.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 2636 vssadmin.exe 880 vssadmin.exe -
Processes:
mshta.exemshta.exemshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Fast.exepid process 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe 1984 Fast.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Fast.exevssvc.exeWMIC.exewbengine.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1984 Fast.exe Token: SeBackupPrivilege 2472 vssvc.exe Token: SeRestorePrivilege 2472 vssvc.exe Token: SeAuditPrivilege 2472 vssvc.exe Token: SeIncreaseQuotaPrivilege 324 WMIC.exe Token: SeSecurityPrivilege 324 WMIC.exe Token: SeTakeOwnershipPrivilege 324 WMIC.exe Token: SeLoadDriverPrivilege 324 WMIC.exe Token: SeSystemProfilePrivilege 324 WMIC.exe Token: SeSystemtimePrivilege 324 WMIC.exe Token: SeProfSingleProcessPrivilege 324 WMIC.exe Token: SeIncBasePriorityPrivilege 324 WMIC.exe Token: SeCreatePagefilePrivilege 324 WMIC.exe Token: SeBackupPrivilege 324 WMIC.exe Token: SeRestorePrivilege 324 WMIC.exe Token: SeShutdownPrivilege 324 WMIC.exe Token: SeDebugPrivilege 324 WMIC.exe Token: SeSystemEnvironmentPrivilege 324 WMIC.exe Token: SeRemoteShutdownPrivilege 324 WMIC.exe Token: SeUndockPrivilege 324 WMIC.exe Token: SeManageVolumePrivilege 324 WMIC.exe Token: 33 324 WMIC.exe Token: 34 324 WMIC.exe Token: 35 324 WMIC.exe Token: SeIncreaseQuotaPrivilege 324 WMIC.exe Token: SeSecurityPrivilege 324 WMIC.exe Token: SeTakeOwnershipPrivilege 324 WMIC.exe Token: SeLoadDriverPrivilege 324 WMIC.exe Token: SeSystemProfilePrivilege 324 WMIC.exe Token: SeSystemtimePrivilege 324 WMIC.exe Token: SeProfSingleProcessPrivilege 324 WMIC.exe Token: SeIncBasePriorityPrivilege 324 WMIC.exe Token: SeCreatePagefilePrivilege 324 WMIC.exe Token: SeBackupPrivilege 324 WMIC.exe Token: SeRestorePrivilege 324 WMIC.exe Token: SeShutdownPrivilege 324 WMIC.exe Token: SeDebugPrivilege 324 WMIC.exe Token: SeSystemEnvironmentPrivilege 324 WMIC.exe Token: SeRemoteShutdownPrivilege 324 WMIC.exe Token: SeUndockPrivilege 324 WMIC.exe Token: SeManageVolumePrivilege 324 WMIC.exe Token: 33 324 WMIC.exe Token: 34 324 WMIC.exe Token: 35 324 WMIC.exe Token: SeBackupPrivilege 2392 wbengine.exe Token: SeRestorePrivilege 2392 wbengine.exe Token: SeSecurityPrivilege 2392 wbengine.exe Token: SeIncreaseQuotaPrivilege 1780 WMIC.exe Token: SeSecurityPrivilege 1780 WMIC.exe Token: SeTakeOwnershipPrivilege 1780 WMIC.exe Token: SeLoadDriverPrivilege 1780 WMIC.exe Token: SeSystemProfilePrivilege 1780 WMIC.exe Token: SeSystemtimePrivilege 1780 WMIC.exe Token: SeProfSingleProcessPrivilege 1780 WMIC.exe Token: SeIncBasePriorityPrivilege 1780 WMIC.exe Token: SeCreatePagefilePrivilege 1780 WMIC.exe Token: SeBackupPrivilege 1780 WMIC.exe Token: SeRestorePrivilege 1780 WMIC.exe Token: SeShutdownPrivilege 1780 WMIC.exe Token: SeDebugPrivilege 1780 WMIC.exe Token: SeSystemEnvironmentPrivilege 1780 WMIC.exe Token: SeRemoteShutdownPrivilege 1780 WMIC.exe Token: SeUndockPrivilege 1780 WMIC.exe Token: SeManageVolumePrivilege 1780 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Fast.execmd.execmd.execmd.exedescription pid process target process PID 1984 wrote to memory of 2884 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 2884 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 2884 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 2884 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 2980 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 2980 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 2980 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 2980 1984 Fast.exe cmd.exe PID 2980 wrote to memory of 2636 2980 cmd.exe vssadmin.exe PID 2980 wrote to memory of 2636 2980 cmd.exe vssadmin.exe PID 2980 wrote to memory of 2636 2980 cmd.exe vssadmin.exe PID 2884 wrote to memory of 2652 2884 cmd.exe netsh.exe PID 2884 wrote to memory of 2652 2884 cmd.exe netsh.exe PID 2884 wrote to memory of 2652 2884 cmd.exe netsh.exe PID 2884 wrote to memory of 304 2884 cmd.exe netsh.exe PID 2884 wrote to memory of 304 2884 cmd.exe netsh.exe PID 2884 wrote to memory of 304 2884 cmd.exe netsh.exe PID 2980 wrote to memory of 324 2980 cmd.exe WMIC.exe PID 2980 wrote to memory of 324 2980 cmd.exe WMIC.exe PID 2980 wrote to memory of 324 2980 cmd.exe WMIC.exe PID 2980 wrote to memory of 2424 2980 cmd.exe bcdedit.exe PID 2980 wrote to memory of 2424 2980 cmd.exe bcdedit.exe PID 2980 wrote to memory of 2424 2980 cmd.exe bcdedit.exe PID 2980 wrote to memory of 2848 2980 cmd.exe bcdedit.exe PID 2980 wrote to memory of 2848 2980 cmd.exe bcdedit.exe PID 2980 wrote to memory of 2848 2980 cmd.exe bcdedit.exe PID 2980 wrote to memory of 1680 2980 cmd.exe wbadmin.exe PID 2980 wrote to memory of 1680 2980 cmd.exe wbadmin.exe PID 2980 wrote to memory of 1680 2980 cmd.exe wbadmin.exe PID 1984 wrote to memory of 2060 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2060 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2060 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2060 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 772 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 772 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 772 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 772 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2400 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2400 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2400 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2400 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2760 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2760 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2760 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 2760 1984 Fast.exe mshta.exe PID 1984 wrote to memory of 1656 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 1656 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 1656 1984 Fast.exe cmd.exe PID 1984 wrote to memory of 1656 1984 Fast.exe cmd.exe PID 1656 wrote to memory of 880 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 880 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 880 1656 cmd.exe vssadmin.exe PID 1656 wrote to memory of 1780 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 1780 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 1780 1656 cmd.exe WMIC.exe PID 1656 wrote to memory of 2816 1656 cmd.exe bcdedit.exe PID 1656 wrote to memory of 2816 1656 cmd.exe bcdedit.exe PID 1656 wrote to memory of 2816 1656 cmd.exe bcdedit.exe PID 1656 wrote to memory of 1824 1656 cmd.exe bcdedit.exe PID 1656 wrote to memory of 1824 1656 cmd.exe bcdedit.exe PID 1656 wrote to memory of 1824 1656 cmd.exe bcdedit.exe PID 1656 wrote to memory of 2820 1656 cmd.exe wbadmin.exe PID 1656 wrote to memory of 2820 1656 cmd.exe wbadmin.exe PID 1656 wrote to memory of 2820 1656 cmd.exe wbadmin.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fast.exe"C:\Users\Admin\AppData\Local\Temp\Fast.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fast.exe"C:\Users\Admin\AppData\Local\Temp\Fast.exe"2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\info.htaFilesize
9KB
MD5b733d89c78482f099591e8eb335d2b85
SHA1eae5b4c0893030aa2839e80f401d076cdec90e9e
SHA256692323b4843e44d37d290e5f384a974efd15bb48924038ee9e4f8522b9682314
SHA5124ac518fb4519609febb506a1b36b86be58857010a29348a31be22450aa6aecc1e3f4a03dd464cf5261ab479fd14d625361e2e8d75d68e9cde5637ed7715c8e98