phobos | bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174

Analysis

max time kernel
37s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

新建文件夹/fast.exe
Size

56KB
MD5

9ad577d23f402be16acb2bdd9619aaf2
SHA1

054e7451b8394d33bd59201653801fe1313a4841
SHA256

0d990218e7ca3beff50d56a7cd3c6325c32e98413554e1b5614f101923706032
SHA512

b1be8815efdf59bc5fc2d0602cc01ce123edaea5b803c1733a33fdaf95b1172bb39f8cb762eb07c6d943b3e12789a053feb9c14a50ec8eb82fa491a55a7658ce
SSDEEP

1536:CNeRBl5PT/rx1mzwRMSTdLpJCMBrzQM5+N:CQRrmzwR5JVUN

Score

10^/10

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
4136	bcdedit.exe
296	bcdedit.exe

Renames multiple (67) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
3672	wbadmin.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
2940	netsh.exe
4708	netsh.exe

Drops startup file 1 IoCs

Processes:

fast.exe

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe	fast.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fast.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe"	fast.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe"	fast.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

fast.exe

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	fast.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini	fast.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini	fast.exe

Drops file in Program Files directory 64 IoCs

Processes:

fast.exe

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll	fast.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll	fast.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll	fast.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	fast.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json	fast.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll	fast.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll	fast.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll	fast.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll	fast.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.id[DD639E96-3327].[[email protected]].Devos	fast.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
1744	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fast.exe

pid	Process
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe
4076	fast.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

fast.exevssvc.exeWMIC.exewbengine.exe

description	pid	Process
Token: SeDebugPrivilege	4076	fast.exe
Token: SeBackupPrivilege	1156	vssvc.exe
Token: SeRestorePrivilege	1156	vssvc.exe
Token: SeAuditPrivilege	1156	vssvc.exe
Token: SeIncreaseQuotaPrivilege	452	WMIC.exe
Token: SeSecurityPrivilege	452	WMIC.exe
Token: SeTakeOwnershipPrivilege	452	WMIC.exe
Token: SeLoadDriverPrivilege	452	WMIC.exe
Token: SeSystemProfilePrivilege	452	WMIC.exe
Token: SeSystemtimePrivilege	452	WMIC.exe
Token: SeProfSingleProcessPrivilege	452	WMIC.exe
Token: SeIncBasePriorityPrivilege	452	WMIC.exe
Token: SeCreatePagefilePrivilege	452	WMIC.exe
Token: SeBackupPrivilege	452	WMIC.exe
Token: SeRestorePrivilege	452	WMIC.exe
Token: SeShutdownPrivilege	452	WMIC.exe
Token: SeDebugPrivilege	452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	452	WMIC.exe
Token: SeRemoteShutdownPrivilege	452	WMIC.exe
Token: SeUndockPrivilege	452	WMIC.exe
Token: SeManageVolumePrivilege	452	WMIC.exe
Token: 33	452	WMIC.exe
Token: 34	452	WMIC.exe
Token: 35	452	WMIC.exe
Token: 36	452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	452	WMIC.exe
Token: SeSecurityPrivilege	452	WMIC.exe
Token: SeTakeOwnershipPrivilege	452	WMIC.exe
Token: SeLoadDriverPrivilege	452	WMIC.exe
Token: SeSystemProfilePrivilege	452	WMIC.exe
Token: SeSystemtimePrivilege	452	WMIC.exe
Token: SeProfSingleProcessPrivilege	452	WMIC.exe
Token: SeIncBasePriorityPrivilege	452	WMIC.exe
Token: SeCreatePagefilePrivilege	452	WMIC.exe
Token: SeBackupPrivilege	452	WMIC.exe
Token: SeRestorePrivilege	452	WMIC.exe
Token: SeShutdownPrivilege	452	WMIC.exe
Token: SeDebugPrivilege	452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	452	WMIC.exe
Token: SeRemoteShutdownPrivilege	452	WMIC.exe
Token: SeUndockPrivilege	452	WMIC.exe
Token: SeManageVolumePrivilege	452	WMIC.exe
Token: 33	452	WMIC.exe
Token: 34	452	WMIC.exe
Token: 35	452	WMIC.exe
Token: 36	452	WMIC.exe
Token: SeBackupPrivilege	2244	wbengine.exe
Token: SeRestorePrivilege	2244	wbengine.exe
Token: SeSecurityPrivilege	2244	wbengine.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fast.execmd.execmd.exe

description	pid	Process	procid_target
PID 4076 wrote to memory of 2808	4076	fast.exe	88
PID 4076 wrote to memory of 2808	4076	fast.exe	88
PID 4076 wrote to memory of 1420	4076	fast.exe	87
PID 4076 wrote to memory of 1420	4076	fast.exe	87
PID 2808 wrote to memory of 2940	2808	cmd.exe	91
PID 2808 wrote to memory of 2940	2808	cmd.exe	91
PID 1420 wrote to memory of 1744	1420	cmd.exe	92
PID 1420 wrote to memory of 1744	1420	cmd.exe	92
PID 2808 wrote to memory of 4708	2808	cmd.exe	95
PID 2808 wrote to memory of 4708	2808	cmd.exe	95
PID 1420 wrote to memory of 452	1420	cmd.exe	96
PID 1420 wrote to memory of 452	1420	cmd.exe	96
PID 1420 wrote to memory of 4136	1420	cmd.exe	98
PID 1420 wrote to memory of 4136	1420	cmd.exe	98
PID 1420 wrote to memory of 296	1420	cmd.exe	99
PID 1420 wrote to memory of 296	1420	cmd.exe	99
PID 1420 wrote to memory of 3672	1420	cmd.exe	100
PID 1420 wrote to memory of 3672	1420	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe
"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe
  "C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"
  2⤵
  PID:3192
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4136
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:296
- - C:\Windows\system32\wbadmin.exe
    wbadmin delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:3672
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2940
- - C:\Windows\system32\netsh.exe
    netsh firewall set opmode mode=disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2380

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[DD639E96-3327].[[email protected]].Devos

Filesize
3.2MB

MD5
e1aa03d50a5564320d5d88646f45b197

SHA1
ec8a091b935ff04b7a2dd82a7e7d13f2bdd85dc2

SHA256
5a9b38fced1ac8e488c39795bcea1f4be6d930cfd5b951edcf84e0dd5dc3934b

SHA512
e688f6cd682426e8083b075156f1682b31bfa0e97eaac1e2c7b894fd69a67ed2d0f122399ce9898b687242d2e10c3561e1ccefb92aa8ee00498b018c211efd72

Download Submit