Malware Analysis Report

2024-09-11 01:02

Sample ID 240706-bg32ls1dnn
Target 17b368698ffc4be537f89bd9369f6f59.bin
SHA256 bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174
Tags
neshta phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bc2d9e8fed9f7a2daa82fff0429e67b40a50a43f3f1014240ddf4930b7e8c174

Threat Level: Known bad

The file 17b368698ffc4be537f89bd9369f6f59.bin was found to be: Known bad.

Malicious Activity Summary

neshta phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Neshta family

Neshta

Phobos

Detect Neshta payload

Renames multiple (67) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (276) files with added filename extension

Deletes shadow copies

Modifies Windows Firewall

Deletes backup catalog

Drops startup file

Modifies system executable filetype association

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Uses Task Scheduler COM API

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-06 01:07

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta family

neshta

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:12

Platform

win7-20240705-en

Max time kernel

109s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (276) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\bin\kcms.dll.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Reunion.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03014_.GIF.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationProvider.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Printing.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\resources.pak.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\13.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185780.WMF.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Teal.css.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\notification_plugin.jar.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange.css.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdatl3.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14755_.GIF.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14867_.GIF.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_over.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FSTOCK.DLL.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME15.CSS.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_all.gif.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\MST7MDT C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\hxdsui.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WHIRL2.WMF.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21307_.GIF C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Teal.css C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmad_plugin.dll.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SaveAsRTF.api C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceqp35.dll.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP.id[FC68F4FF-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2012 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2012 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3056 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3056 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3056 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3056 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3056 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3056 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2012 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2012 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2012 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2012 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2012 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2012 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2012 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id[FC68F4FF-3327].[[email protected]].Devos

MD5 377020180c76656b017b8a85c6491182
SHA1 b1dbe33adb11fbc1ab9fea2dce912daefe9b13b2
SHA256 19859f057f3fe133af11b858d485d4b3c36b03608861ef8baa9d9be11b22cd26
SHA512 e5ce1a6d537c6111f3790e04227f5aa0aae93c1782c306fed064cb0b0f31ef7ab1c0982b283c4773d0d2ce08ca4a7409af92ef55d5707ab42d1f4a0bbf74daeb

C:\info.hta

MD5 c9f1281cdc8689ea56f5589e3649c36c
SHA1 4822c6e00274320d5932acb4098fab43a944820e
SHA256 607ac408a22892245db5e77ff5e9c860207922ece047a3dd5951a0bed88d1878
SHA512 4b21935a2f08b2993d47c749fec06a4716e7172e8523338854abe5bc8d5372be2f3d71a6b33d311a0b23775514de55a6f22c6e04ed2e0b62141859513a51e65d

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:12

Platform

win10v2004-20240704-en

Max time kernel

37s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

Signatures

Phobos

ransomware phobos

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (67) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fast.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fast = "C:\\Users\\Admin\\AppData\\Local\\fast.exe" C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationTypes.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Forms.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationClientSideProviders.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Primitives.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\ReachFramework.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.HttpListener.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationTypes.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Intrinsics.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Writer.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Forms.resources.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Design.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.AccessControl.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorrc.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.id[DD639E96-3327].[[email protected]].Devos C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 4076 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 4076 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 4076 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2808 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1420 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1420 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2808 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2808 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1420 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1420 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1420 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1420 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1420 wrote to memory of 296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1420 wrote to memory of 296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1420 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1420 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\fast.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[DD639E96-3327].[[email protected]].Devos

MD5 e1aa03d50a5564320d5d88646f45b197
SHA1 ec8a091b935ff04b7a2dd82a7e7d13f2bdd85dc2
SHA256 5a9b38fced1ac8e488c39795bcea1f4be6d930cfd5b951edcf84e0dd5dc3934b
SHA512 e688f6cd682426e8083b075156f1682b31bfa0e97eaac1e2c7b894fd69a67ed2d0f122399ce9898b687242d2e10c3561e1ccefb92aa8ee00498b018c211efd72

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:11

Platform

win7-20240704-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

N/A

Files

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 f2e5cfb8f498639baf77b6a55fb9325e
SHA1 dad7f1b0d38a1142c50c629555289daf678cc5a6
SHA256 51fadba4debb9030662f2593ede938f175656208aaa30c9b214fa580114613e0
SHA512 80689f12aeefaf5452515a4ad3525ce6e85fb4fa4e0f3c0f2e41f8ca37235a4188711871e3b5fd4e67b95b53d99ed447b8603edd35f9c74b12f0ae0f63eb634c

memory/2584-69-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2584-70-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2584-71-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2584-73-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-06 01:07

Reported

2024-07-06 01:12

Platform

win10v2004-20240704-en

Max time kernel

97s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI9C33~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\新建文件夹\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 2701f5f07f9c3bd97f752b93e11224a6
SHA1 19e11632c430f6db218be7d54719e7d16005703f
SHA256 15dc0e52a821f2c356d6c9eac4ac41fa53ab1742a5f719de4e8be28d86ca3a99
SHA512 121ba9218c676c28e432f3ffa0e13f4b14f3726e5d8521c239641f24b869063de27608689daab4c81d1eea0b3f67072e42fca558bf379c60a8370cd15d37b81d

memory/60-34-0x0000000000400000-0x000000000041B000-memory.dmp

memory/60-86-0x0000000000400000-0x000000000041B000-memory.dmp

memory/60-87-0x0000000000400000-0x000000000041B000-memory.dmp

memory/60-88-0x0000000000400000-0x000000000041B000-memory.dmp

memory/60-89-0x0000000000400000-0x000000000041B000-memory.dmp

memory/60-90-0x0000000000400000-0x000000000041B000-memory.dmp

memory/60-91-0x0000000000400000-0x000000000041B000-memory.dmp

memory/60-92-0x0000000000400000-0x000000000041B000-memory.dmp

memory/60-93-0x0000000000400000-0x000000000041B000-memory.dmp

memory/60-95-0x0000000000400000-0x000000000041B000-memory.dmp