Analysis
-
max time kernel
98s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07-07-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.zip
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.zip
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
Resource
win10v2004-20240704-en
General
-
Target
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.zip
-
Size
50KB
-
MD5
05f3827b79462467cd41711ee3a1fee1
-
SHA1
b8cea62a853c73aff99e7b0b9616ff567f05285e
-
SHA256
452ccadead56b846bd968178bc46156b7a4bceeee25b6143ae9d793ebaa77adb
-
SHA512
ce50dc7664ad904c3da0b8e46631cec0be2a4250f789f7478657a5ee68f98346a2dee9539dea153cfd3a792e2fbc3cd014493a40bd08201942b899769bbc0892
-
SSDEEP
768:ykyP3gVLBzKQHMaS5vW67PJYDr8BPZDlyMiTvMUMkUKhkWCZ7pOfZtdJ:yiqQHC5WmPurCvwTvMUMkjkWCZ7pEZtL
Malware Config
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3824 bcdedit.exe 3608 bcdedit.exe -
Processes:
wbadmin.exepid process 1144 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2212 netsh.exe 1392 netsh.exe -
Drops startup file 1 IoCs
Processes:
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Executes dropped EXE 2 IoCs
Processes:
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exepid process 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3092 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f = "C:\\Users\\Admin\\AppData\\Local\\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe" 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe Set value (str) \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f = "C:\\Users\\Admin\\AppData\\Local\\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe" 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-587429654-1855694383-2268796072-1000\desktop.ini 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-587429654-1855694383-2268796072-1000\desktop.ini 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Drops file in Program Files directory 64 IoCs
Processes:
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exedescription ioc process File created C:\Program Files\7-Zip\7zCon.sfx.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\Lang\ky.txt.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadco.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\7zG.exe.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\mr.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\System\ado\msado28.tlb 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\Lang\ga.txt.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\Lang\he.txt.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\Lang\fur.txt.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\7-zip.chm.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\Lang\bg.txt.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\Lang\ka.txt.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\Lang\mk.txt.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.id[2E8FAA15-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TabTip.exe.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4560 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exepid process 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
7zG.exe45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exedescription pid process Token: SeRestorePrivilege 3680 7zG.exe Token: 35 3680 7zG.exe Token: SeSecurityPrivilege 3680 7zG.exe Token: SeSecurityPrivilege 3680 7zG.exe Token: SeDebugPrivilege 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 3680 7zG.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.execmd.execmd.exedescription pid process target process PID 4588 wrote to memory of 3220 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe cmd.exe PID 4588 wrote to memory of 3220 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe cmd.exe PID 4588 wrote to memory of 4120 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe cmd.exe PID 4588 wrote to memory of 4120 4588 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe cmd.exe PID 3220 wrote to memory of 2212 3220 cmd.exe netsh.exe PID 3220 wrote to memory of 2212 3220 cmd.exe netsh.exe PID 4120 wrote to memory of 4560 4120 cmd.exe vssadmin.exe PID 4120 wrote to memory of 4560 4120 cmd.exe vssadmin.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.zip1⤵PID:468
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1248
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f\" -spe -an -ai#7zMap4887:186:7zEvent237281⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3680
-
C:\Users\Admin\Desktop\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"C:\Users\Admin\Desktop\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Users\Admin\Desktop\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"C:\Users\Admin\Desktop\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"2⤵
- Executes dropped EXE
PID:3092 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4560 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵PID:4184
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3824 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3608 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1144 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2212 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:1392
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4960
-
C:\Windows\System32\winver.exe"C:\Windows\System32\winver.exe"1⤵PID:2444
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:3084
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:720
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2084
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\RepairRead.mp4"1⤵PID:4732
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[2E8FAA15-3483].[[email protected]].8base
Filesize3.2MB
MD5dce6900ab6174bfccb5903a54e6ddd0d
SHA1c76361fc05a3a8f141d37ea5120dcbea328b71f5
SHA25691151ebba4f1b9e7d84cf71d30d8f33b2857842054c153b8bfc5183693b0693e
SHA5122c9fb9ef35ebd8d69c0db703b6ad2a27072e3d51ea29f90828c851b57a06a20c5d4d6bd70c98b99e05fe124c78c243114d9cfe7fd407e1287f7e9781ab775e7a
-
C:\Users\Admin\Desktop\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
Filesize66KB
MD587d6d2488b1260e70f4042bf1f292529
SHA1161f9a79f8197c9b5de1beb7bd4d425d5c23b45b
SHA25645de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f
SHA512a9d3930de1ff5849e61d1807c6de4b063790dc03f7e4f3f2101cbddde55002ffcc85d2ff433b753a5936403feedbc93c0f3658ffb5e8051d00ba58641e6afda7