Analysis
-
max time kernel
300s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/02/2025, 07:11
Static task
static1
Behavioral task
behavioral1
Sample
19022025_0711_sample.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
19022025_0711_sample.exe
Resource
win10v2004-20250217-en
General
-
Target
19022025_0711_sample.exe
-
Size
481KB
-
MD5
bd6e69713ccfdbc9e9486bfabf135128
-
SHA1
cd57d85db99bcb948a089b09902ad093708ff90e
-
SHA256
11840e492551afa910f38f3077881db2556d97de174d2bbf239b8bb0b5f1d02f
-
SHA512
5bd041c55bb551023a65cc69e78d442311386267e170e0f6c7bda9aeffae4277ddc6496183dca1f3d96f2e8b060555c266612e1384af6af229f41c6a0c5085e7
-
SSDEEP
6144:suQ7u0a0Lgb2mzHy2ZkFlqe1u5hDimntgNqtOq:sRayLk3zHtkFlD1SfOq
Malware Config
Extracted
C:\info.hta
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Phobos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2756 bcdedit.exe 1580 bcdedit.exe 1248 bcdedit.exe 2788 bcdedit.exe -
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2824 wbadmin.exe 2308 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1592 netsh.exe 1928 netsh.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 2688 AddInProcess32.exe -
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\AddInProcess32.exe AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AddInProcess32 = "C:\\Users\\Admin\\AppData\\Local\\AddInProcess32.exe" AddInProcess32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\AddInProcess32 = "C:\\Users\\Admin\\AppData\\Local\\AddInProcess32.exe" AddInProcess32.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Music\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BBWU148F\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Links\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SEGJVAZC\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4KNYJNXZ\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini AddInProcess32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5O2ZS8DL\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files (x86)\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4TDQSVWU\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Documents\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Music\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Downloads\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1U7Y9BT8\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ADWO43R6\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2848 set thread context of 2688 2848 19022025_0711_sample.exe 30 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll AddInProcess32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PTXT9.DLL.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\Mozilla Firefox\firefox.exe.sig.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WWLIB.DLL.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html AddInProcess32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml AddInProcess32.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\background.gif.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_increaseindent.gif.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html AddInProcess32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml AddInProcess32.exe File created C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieResume.dotx.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx AddInProcess32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\currency.js AddInProcess32.exe File opened for modification C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui AddInProcess32.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234131.WMF.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_COL.HXC.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\107.accdt AddInProcess32.exe File created C:\Program Files\Microsoft Office\Office14\BCSLaunch.dll.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00234_.WMF.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\INFINTL.DLL.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\FONTSCHM.INI AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif AddInProcess32.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll AddInProcess32.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif AddInProcess32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\ieinstal.exe.mui AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif AddInProcess32.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\setting_back.png AddInProcess32.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_h.png AddInProcess32.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api AddInProcess32.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00932_.WMF.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak AddInProcess32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\CET AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51F.GIF AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE AddInProcess32.exe File created C:\Program Files\Java\jre7\lib\sound.properties.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD20013_.WMF.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML AddInProcess32.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html AddInProcess32.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\EET AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONINTL.DLL.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN103.XML.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.id[54E7A7C7-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF AddInProcess32.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19022025_0711_sample.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3064 vssadmin.exe 2380 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2848 19022025_0711_sample.exe 2848 19022025_0711_sample.exe 2848 19022025_0711_sample.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe 2688 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2848 19022025_0711_sample.exe Token: SeDebugPrivilege 2688 AddInProcess32.exe Token: SeBackupPrivilege 1584 vssvc.exe Token: SeRestorePrivilege 1584 vssvc.exe Token: SeAuditPrivilege 1584 vssvc.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe Token: SeIncreaseQuotaPrivilege 2084 WMIC.exe Token: SeSecurityPrivilege 2084 WMIC.exe Token: SeTakeOwnershipPrivilege 2084 WMIC.exe Token: SeLoadDriverPrivilege 2084 WMIC.exe Token: SeSystemProfilePrivilege 2084 WMIC.exe Token: SeSystemtimePrivilege 2084 WMIC.exe Token: SeProfSingleProcessPrivilege 2084 WMIC.exe Token: SeIncBasePriorityPrivilege 2084 WMIC.exe Token: SeCreatePagefilePrivilege 2084 WMIC.exe Token: SeBackupPrivilege 2084 WMIC.exe Token: SeRestorePrivilege 2084 WMIC.exe Token: SeShutdownPrivilege 2084 WMIC.exe Token: SeDebugPrivilege 2084 WMIC.exe Token: SeSystemEnvironmentPrivilege 2084 WMIC.exe Token: SeRemoteShutdownPrivilege 2084 WMIC.exe Token: SeUndockPrivilege 2084 WMIC.exe Token: SeManageVolumePrivilege 2084 WMIC.exe Token: 33 2084 WMIC.exe Token: 34 2084 WMIC.exe Token: 35 2084 WMIC.exe Token: SeBackupPrivilege 2640 wbengine.exe Token: SeRestorePrivilege 2640 wbengine.exe Token: SeSecurityPrivilege 2640 wbengine.exe Token: SeIncreaseQuotaPrivilege 812 WMIC.exe Token: SeSecurityPrivilege 812 WMIC.exe Token: SeTakeOwnershipPrivilege 812 WMIC.exe Token: SeLoadDriverPrivilege 812 WMIC.exe Token: SeSystemProfilePrivilege 812 WMIC.exe Token: SeSystemtimePrivilege 812 WMIC.exe Token: SeProfSingleProcessPrivilege 812 WMIC.exe Token: SeIncBasePriorityPrivilege 812 WMIC.exe Token: SeCreatePagefilePrivilege 812 WMIC.exe Token: SeBackupPrivilege 812 WMIC.exe Token: SeRestorePrivilege 812 WMIC.exe Token: SeShutdownPrivilege 812 WMIC.exe Token: SeDebugPrivilege 812 WMIC.exe Token: SeSystemEnvironmentPrivilege 812 WMIC.exe Token: SeRemoteShutdownPrivilege 812 WMIC.exe Token: SeUndockPrivilege 812 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2848 wrote to memory of 2688 2848 19022025_0711_sample.exe 30 PID 2688 wrote to memory of 2944 2688 AddInProcess32.exe 33 PID 2688 wrote to memory of 2944 2688 AddInProcess32.exe 33 PID 2688 wrote to memory of 2944 2688 AddInProcess32.exe 33 PID 2688 wrote to memory of 2944 2688 AddInProcess32.exe 33 PID 2688 wrote to memory of 2696 2688 AddInProcess32.exe 34 PID 2688 wrote to memory of 2696 2688 AddInProcess32.exe 34 PID 2688 wrote to memory of 2696 2688 AddInProcess32.exe 34 PID 2688 wrote to memory of 2696 2688 AddInProcess32.exe 34 PID 2696 wrote to memory of 3064 2696 cmd.exe 37 PID 2696 wrote to memory of 3064 2696 cmd.exe 37 PID 2696 wrote to memory of 3064 2696 cmd.exe 37 PID 2944 wrote to memory of 1592 2944 cmd.exe 38 PID 2944 wrote to memory of 1592 2944 cmd.exe 38 PID 2944 wrote to memory of 1592 2944 cmd.exe 38 PID 2944 wrote to memory of 1928 2944 cmd.exe 40 PID 2944 wrote to memory of 1928 2944 cmd.exe 40 PID 2944 wrote to memory of 1928 2944 cmd.exe 40 PID 2696 wrote to memory of 2084 2696 cmd.exe 43 PID 2696 wrote to memory of 2084 2696 cmd.exe 43 PID 2696 wrote to memory of 2084 2696 cmd.exe 43 PID 2696 wrote to memory of 2756 2696 cmd.exe 45 PID 2696 wrote to memory of 2756 2696 cmd.exe 45 PID 2696 wrote to memory of 2756 2696 cmd.exe 45 PID 2696 wrote to memory of 1580 2696 cmd.exe 46 PID 2696 wrote to memory of 1580 2696 cmd.exe 46 PID 2696 wrote to memory of 1580 2696 cmd.exe 46 PID 2696 wrote to memory of 2824 2696 cmd.exe 47 PID 2696 wrote to memory of 2824 2696 cmd.exe 47 PID 2696 wrote to memory of 2824 2696 cmd.exe 47 PID 2688 wrote to memory of 2188 2688 AddInProcess32.exe 52 PID 2688 wrote to memory of 2188 2688 AddInProcess32.exe 52 PID 2688 wrote to memory of 2188 2688 AddInProcess32.exe 52 PID 2688 wrote to memory of 2188 2688 AddInProcess32.exe 52 PID 2688 wrote to memory of 1924 2688 AddInProcess32.exe 53 PID 2688 wrote to memory of 1924 2688 AddInProcess32.exe 53 PID 2688 wrote to memory of 1924 2688 AddInProcess32.exe 53 PID 2688 wrote to memory of 1924 2688 AddInProcess32.exe 53 PID 2688 wrote to memory of 1556 2688 AddInProcess32.exe 54 PID 2688 wrote to memory of 1556 2688 AddInProcess32.exe 54 PID 2688 wrote to memory of 1556 2688 AddInProcess32.exe 54 PID 2688 wrote to memory of 1556 2688 AddInProcess32.exe 54 PID 2688 wrote to memory of 2516 2688 AddInProcess32.exe 55 PID 2688 wrote to memory of 2516 2688 AddInProcess32.exe 55 PID 2688 wrote to memory of 2516 2688 AddInProcess32.exe 55 PID 2688 wrote to memory of 2516 2688 AddInProcess32.exe 55 PID 2688 wrote to memory of 1700 2688 AddInProcess32.exe 56 PID 2688 wrote to memory of 1700 2688 AddInProcess32.exe 56 PID 2688 wrote to memory of 1700 2688 AddInProcess32.exe 56 PID 2688 wrote to memory of 1700 2688 AddInProcess32.exe 56 PID 1700 wrote to memory of 2380 1700 cmd.exe 58 PID 1700 wrote to memory of 2380 1700 cmd.exe 58 PID 1700 wrote to memory of 2380 1700 cmd.exe 58 PID 1700 wrote to memory of 812 1700 cmd.exe 59 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19022025_0711_sample.exe"C:\Users\Admin\AppData\Local\Temp\19022025_0711_sample.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- System Location Discovery: System Language Discovery
PID:772
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1592
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1928
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3064
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2756
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1580
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2824
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2188
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1924
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1556
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"3⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:2516
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2380
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1248
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2788
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2308
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2160
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:112
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id[54E7A7C7-2850].[[email protected]].blue
Filesize24.4MB
MD5520d9d43af243f48c6b382ff51e11ed8
SHA11ecd434fb95a99be0d560326c24f831c3b389560
SHA256451906f7fe08f74a26238f80a29e5dce92798ec5ec22c9e756c056b2bfd680de
SHA51260776001e512518fee201bdfb657b3ff5767fe230aa659e1441b1af87b21e319fbb1d8f76cd32740afad518e4e27b47ed76f29a8453e092660628c8e668c1219
-
Filesize
5KB
MD5b01b6aee0b958609c2a7e9975a4560a3
SHA1dd1131471b6526706d0f715717eccadbb5b13ba0
SHA256834eb81a6e83d60585290105c0125ae9d8597f81b9a9cefe206439668a27151a
SHA5124c74bada3a9a42b12b12922b3e3f8c0714323e08a55b360d420c2fb880ce26c9ac46ecd6f22a72ccb4d33439b241aa79dc7fa7b94c604103ed8a841a0b6f42c2