Analysis
-
max time kernel
66s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
07-07-2024 18:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
Resource
win7-20240705-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
Resource
win10v2004-20240704-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe
-
Size
66KB
-
MD5
87d6d2488b1260e70f4042bf1f292529
-
SHA1
161f9a79f8197c9b5de1beb7bd4d425d5c23b45b
-
SHA256
45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f
-
SHA512
a9d3930de1ff5849e61d1807c6de4b063790dc03f7e4f3f2101cbddde55002ffcc85d2ff433b753a5936403feedbc93c0f3658ffb5e8051d00ba58641e6afda7
-
SSDEEP
1536:/NeRBl5PT/rx1mzwRMSTdLpJy/jIlkugRGVy/SR1qo+tEgfNni:/QRrmzwR5JysFV12i
Malware Config
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2228 bcdedit.exe 1680 bcdedit.exe -
Renames multiple (72) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1496 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2696 netsh.exe 1740 netsh.exe -
Drops startup file 1 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f = "C:\\Users\\Admin\\AppData\\Local\\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe" 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f = "C:\\Users\\Admin\\AppData\\Local\\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe" 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\desktop.ini 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\desktop.ini 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_ja.properties.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.syntheticnotification.exsd.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Krasnoyarsk 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\7-Zip\History.txt 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_zh_4.4.0.v20140623020002.jar.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-BR.pak.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\7-Zip\7-zip32.dll.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_ButtonGraphic.png 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Google\Chrome\Application\master_preferences.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\w2k_lsa_auth.dll.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\AddRestart.htm 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb.id[729E3E4D-3483].[[email protected]].8base 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\install.ins 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2568 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe Token: SeBackupPrivilege 2148 vssvc.exe Token: SeRestorePrivilege 2148 vssvc.exe Token: SeAuditPrivilege 2148 vssvc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3036 wrote to memory of 2776 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 31 PID 3036 wrote to memory of 2776 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 31 PID 3036 wrote to memory of 2776 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 31 PID 3036 wrote to memory of 2776 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 31 PID 3036 wrote to memory of 2780 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 32 PID 3036 wrote to memory of 2780 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 32 PID 3036 wrote to memory of 2780 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 32 PID 3036 wrote to memory of 2780 3036 45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe 32 PID 2780 wrote to memory of 2696 2780 cmd.exe 35 PID 2780 wrote to memory of 2696 2780 cmd.exe 35 PID 2780 wrote to memory of 2696 2780 cmd.exe 35 PID 2776 wrote to memory of 2568 2776 cmd.exe 36 PID 2776 wrote to memory of 2568 2776 cmd.exe 36 PID 2776 wrote to memory of 2568 2776 cmd.exe 36 PID 2780 wrote to memory of 1740 2780 cmd.exe 38 PID 2780 wrote to memory of 1740 2780 cmd.exe 38 PID 2780 wrote to memory of 1740 2780 cmd.exe 38 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"C:\Users\Admin\AppData\Local\Temp\45de59851d68929632346d6f894dc8c1b6a5c4197db83c2e33c60631efc0b39f.exe"2⤵PID:2640
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2568
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵PID:2476
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2228
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1680
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:1496
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2696
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1740
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:960
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1960
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2808
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1