Analysis
-
max time kernel
300s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
19/02/2025, 07:11
Static task
static1
Behavioral task
behavioral1
Sample
19022025_0711_sample.exe
Resource
win7-20241010-en
phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarestealer
windows7-x64
24 signatures
300 seconds
Behavioral task
behavioral2
Sample
19022025_0711_sample.exe
Resource
win10v2004-20250217-en
phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarestealer
windows10-2004-x64
25 signatures
300 seconds
General
-
Target
19022025_0711_sample.exe
-
Size
481KB
-
MD5
bd6e69713ccfdbc9e9486bfabf135128
-
SHA1
cd57d85db99bcb948a089b09902ad093708ff90e
-
SHA256
11840e492551afa910f38f3077881db2556d97de174d2bbf239b8bb0b5f1d02f
-
SHA512
5bd041c55bb551023a65cc69e78d442311386267e170e0f6c7bda9aeffae4277ddc6496183dca1f3d96f2e8b060555c266612e1384af6af229f41c6a0c5085e7
-
SSDEEP
6144:suQ7u0a0Lgb2mzHy2ZkFlqe1u5hDimntgNqtOq:sRayLk3zHtkFlD1SfOq
Malware Config
Extracted
Path
C:\info.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>encrypted</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #EDEDED;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #D0D0E8;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #D0D0E8;
border-left: 10px solid #00008B;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FF0000;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<div>All your files have been encrypted!</div>
</div>
<div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>EB29C1CF-2850</span></div>
<div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div>
<div class='bold'>Or write us to the TOX messenger: B41CBC188B890112FD97854A0896E5209C054445197448DDD930BA72D3AB98362ABAE0827CFA</span></div>
<div class='bold'>You can download TOX messenger here <a href='https://tox.chat/'>https://tox.chat/</a></div>
<div>
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
</div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>
</ul>
</div>
</body>
</html>
Emails
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Phobos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 4684 bcdedit.exe 1528 bcdedit.exe 1252 bcdedit.exe 3308 bcdedit.exe -
Renames multiple (655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 464 wbadmin.exe 4452 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 996 netsh.exe 1400 netsh.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 3816 AddInProcess32.exe -
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\AddInProcess32.exe AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AddInProcess32 = "C:\\Users\\Admin\\AppData\\Local\\AddInProcess32.exe" AddInProcess32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AddInProcess32 = "C:\\Users\\Admin\\AppData\\Local\\AddInProcess32.exe" AddInProcess32.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Downloads\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Music\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Documents\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Links\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Desktop\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files (x86)\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Documents\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AddInProcess32.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1874072718-2205492803-118941907-1000\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Libraries\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Music\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Pictures\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Public\Videos\desktop.ini AddInProcess32.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1874072718-2205492803-118941907-1000\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini AddInProcess32.exe File opened for modification C:\Program Files\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Searches\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini AddInProcess32.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4852 set thread context of 3816 4852 19022025_0711_sample.exe 90 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-100.png AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\tab_mru_darktheme.png AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare.scale-150.png AddInProcess32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\db2v0801.xsl.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-100.png AddInProcess32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png AddInProcess32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\ui-strings.js.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\reduced_mode.png.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll AddInProcess32.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.IO.Log.Resources.dll AddInProcess32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview2x.png AddInProcess32.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WideTile.scale-125.png AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch.scale-400.png AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\resources.resjson AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-100_contrast-black.png AddInProcess32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png AddInProcess32.exe File created C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-100_contrast-black.png AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_ReptileEye.png AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-54_altform-unplated.png AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\meBoot.min.js AddInProcess32.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\VisualElements\SmallLogoCanary.png.DATA.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\ui-strings.js AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hu.pak AddInProcess32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\PowerPointCapabilities.json.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\46.jpg AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png AddInProcess32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\ui-strings.js.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\ui-strings.js.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Windows Portable Devices\sqmapi.dll AddInProcess32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down-pressed.gif AddInProcess32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\ui-strings.js AddInProcess32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\ui-strings.js.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sv.pak.DATA.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessCompare.rdlc AddInProcess32.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.RunTime.Serialization.Resources.dll AddInProcess32.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\psuser_64.dll AddInProcess32.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_05.jpg AddInProcess32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\ui-strings.js.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\ui-strings.js AddInProcess32.exe File created C:\Program Files\7-Zip\Lang\it.txt.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XPath.XDocument.dll.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\MedTile.scale-100.png AddInProcess32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll AddInProcess32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\BREEZE.ELM.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\ShareErrorMessagePage.xaml AddInProcess32.exe File created C:\Program Files\7-Zip\Lang\mng2.txt.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms AddInProcess32.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\PersonalMonthlyBudget.xltx.id[EB29C1CF-2850].[[email protected]].blue AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\19.jpg AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.IO.FileSystem.Primitives.dll AddInProcess32.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.png AddInProcess32.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms AddInProcess32.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 19022025_0711_sample.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1496 vssadmin.exe 4876 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\Local Settings AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4852 19022025_0711_sample.exe 4852 19022025_0711_sample.exe 4852 19022025_0711_sample.exe 4852 19022025_0711_sample.exe 4852 19022025_0711_sample.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe 3816 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4852 19022025_0711_sample.exe Token: SeDebugPrivilege 3816 AddInProcess32.exe Token: SeBackupPrivilege 4388 vssvc.exe Token: SeRestorePrivilege 4388 vssvc.exe Token: SeAuditPrivilege 4388 vssvc.exe Token: SeIncreaseQuotaPrivilege 1168 WMIC.exe Token: SeSecurityPrivilege 1168 WMIC.exe Token: SeTakeOwnershipPrivilege 1168 WMIC.exe Token: SeLoadDriverPrivilege 1168 WMIC.exe Token: SeSystemProfilePrivilege 1168 WMIC.exe Token: SeSystemtimePrivilege 1168 WMIC.exe Token: SeProfSingleProcessPrivilege 1168 WMIC.exe Token: SeIncBasePriorityPrivilege 1168 WMIC.exe Token: SeCreatePagefilePrivilege 1168 WMIC.exe Token: SeBackupPrivilege 1168 WMIC.exe Token: SeRestorePrivilege 1168 WMIC.exe Token: SeShutdownPrivilege 1168 WMIC.exe Token: SeDebugPrivilege 1168 WMIC.exe Token: SeSystemEnvironmentPrivilege 1168 WMIC.exe Token: SeRemoteShutdownPrivilege 1168 WMIC.exe Token: SeUndockPrivilege 1168 WMIC.exe Token: SeManageVolumePrivilege 1168 WMIC.exe Token: 33 1168 WMIC.exe Token: 34 1168 WMIC.exe Token: 35 1168 WMIC.exe Token: 36 1168 WMIC.exe Token: SeIncreaseQuotaPrivilege 1168 WMIC.exe Token: SeSecurityPrivilege 1168 WMIC.exe Token: SeTakeOwnershipPrivilege 1168 WMIC.exe Token: SeLoadDriverPrivilege 1168 WMIC.exe Token: SeSystemProfilePrivilege 1168 WMIC.exe Token: SeSystemtimePrivilege 1168 WMIC.exe Token: SeProfSingleProcessPrivilege 1168 WMIC.exe Token: SeIncBasePriorityPrivilege 1168 WMIC.exe Token: SeCreatePagefilePrivilege 1168 WMIC.exe Token: SeBackupPrivilege 1168 WMIC.exe Token: SeRestorePrivilege 1168 WMIC.exe Token: SeShutdownPrivilege 1168 WMIC.exe Token: SeDebugPrivilege 1168 WMIC.exe Token: SeSystemEnvironmentPrivilege 1168 WMIC.exe Token: SeRemoteShutdownPrivilege 1168 WMIC.exe Token: SeUndockPrivilege 1168 WMIC.exe Token: SeManageVolumePrivilege 1168 WMIC.exe Token: 33 1168 WMIC.exe Token: 34 1168 WMIC.exe Token: 35 1168 WMIC.exe Token: 36 1168 WMIC.exe Token: SeBackupPrivilege 832 wbengine.exe Token: SeRestorePrivilege 832 wbengine.exe Token: SeSecurityPrivilege 832 wbengine.exe Token: SeIncreaseQuotaPrivilege 1260 WMIC.exe Token: SeSecurityPrivilege 1260 WMIC.exe Token: SeTakeOwnershipPrivilege 1260 WMIC.exe Token: SeLoadDriverPrivilege 1260 WMIC.exe Token: SeSystemProfilePrivilege 1260 WMIC.exe Token: SeSystemtimePrivilege 1260 WMIC.exe Token: SeProfSingleProcessPrivilege 1260 WMIC.exe Token: SeIncBasePriorityPrivilege 1260 WMIC.exe Token: SeCreatePagefilePrivilege 1260 WMIC.exe Token: SeBackupPrivilege 1260 WMIC.exe Token: SeRestorePrivilege 1260 WMIC.exe Token: SeShutdownPrivilege 1260 WMIC.exe Token: SeDebugPrivilege 1260 WMIC.exe Token: SeSystemEnvironmentPrivilege 1260 WMIC.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3984 4852 19022025_0711_sample.exe 89 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 4852 wrote to memory of 3816 4852 19022025_0711_sample.exe 90 PID 3816 wrote to memory of 1488 3816 AddInProcess32.exe 95 PID 3816 wrote to memory of 1488 3816 AddInProcess32.exe 95 PID 3816 wrote to memory of 2252 3816 AddInProcess32.exe 96 PID 3816 wrote to memory of 2252 3816 AddInProcess32.exe 96 PID 1488 wrote to memory of 996 1488 cmd.exe 99 PID 1488 wrote to memory of 996 1488 cmd.exe 99 PID 2252 wrote to memory of 1496 2252 cmd.exe 100 PID 2252 wrote to memory of 1496 2252 cmd.exe 100 PID 2252 wrote to memory of 1168 2252 cmd.exe 103 PID 2252 wrote to memory of 1168 2252 cmd.exe 103 PID 1488 wrote to memory of 1400 1488 cmd.exe 104 PID 1488 wrote to memory of 1400 1488 cmd.exe 104 PID 2252 wrote to memory of 4684 2252 cmd.exe 105 PID 2252 wrote to memory of 4684 2252 cmd.exe 105 PID 2252 wrote to memory of 1528 2252 cmd.exe 106 PID 2252 wrote to memory of 1528 2252 cmd.exe 106 PID 2252 wrote to memory of 464 2252 cmd.exe 107 PID 2252 wrote to memory of 464 2252 cmd.exe 107 PID 3816 wrote to memory of 3152 3816 AddInProcess32.exe 112 PID 3816 wrote to memory of 3152 3816 AddInProcess32.exe 112 PID 3816 wrote to memory of 3152 3816 AddInProcess32.exe 112 PID 3816 wrote to memory of 4448 3816 AddInProcess32.exe 113 PID 3816 wrote to memory of 4448 3816 AddInProcess32.exe 113 PID 3816 wrote to memory of 4448 3816 AddInProcess32.exe 113 PID 3816 wrote to memory of 1632 3816 AddInProcess32.exe 114 PID 3816 wrote to memory of 1632 3816 AddInProcess32.exe 114 PID 3816 wrote to memory of 1632 3816 AddInProcess32.exe 114 PID 3816 wrote to memory of 2316 3816 AddInProcess32.exe 115 PID 3816 wrote to memory of 2316 3816 AddInProcess32.exe 115 PID 3816 wrote to memory of 2316 3816 AddInProcess32.exe 115 PID 3816 wrote to memory of 4640 3816 AddInProcess32.exe 116 PID 3816 wrote to memory of 4640 3816 AddInProcess32.exe 116 PID 4640 wrote to memory of 4876 4640 cmd.exe 119 PID 4640 wrote to memory of 4876 4640 cmd.exe 119 PID 4640 wrote to memory of 1260 4640 cmd.exe 120 PID 4640 wrote to memory of 1260 4640 cmd.exe 120 PID 4640 wrote to memory of 1252 4640 cmd.exe 121 PID 4640 wrote to memory of 1252 4640 cmd.exe 121 PID 4640 wrote to memory of 3308 4640 cmd.exe 122 PID 4640 wrote to memory of 3308 4640 cmd.exe 122 PID 4640 wrote to memory of 4452 4640 cmd.exe 123 PID 4640 wrote to memory of 4452 4640 cmd.exe 123 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19022025_0711_sample.exe"C:\Users\Admin\AppData\Local\Temp\19022025_0711_sample.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:3984
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1156
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:996
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1400
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1496
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:4684
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1528
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:464
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
PID:3152
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
PID:4448
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
PID:1632
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- System Location Discovery: System Language Discovery
PID:2316
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4876
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1252
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:3308
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:4452
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:832
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:4636
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3580
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id[EB29C1CF-2850].[[email protected]].blue
Filesize3.6MB
MD50fdcb0fff428e84f86c8559a6bdbbec5
SHA1ad5c265998a9e428ce7c2f08b343b4943d0fca3c
SHA256f8262e3d124eafda42c85cc2da140e7ef87714d493f93ccb80fe4a23d4315732
SHA512b150bdaea5765f49624160b38d99ea33e0960d802f35a151e67bacaf5db5686d68f68f1b4382da0e709002fef2f2a6eb2d492a1af7d734880f5645ee8e0c4e87
-
Filesize
1KB
MD59a2d0ce437d2445330f2646472703087
SHA133c83e484a15f35c2caa3af62d5da6b7713a20ae
SHA25630ea2f716e85f8d14a201e3fb0897d745a01b113342dfb7a9b7ac133c4ef150c
SHA512a61d18d90bfad9ea8afdfa37537cfea3d5a3d0c161e323fa65840c283bdc87c3de85daaff5519beea2f2719eec1c68398eea8679b55ff733a61052f073162d5d
-
Filesize
411B
MD511bf8baec939519fc233f581b0853250
SHA1fd6be3ec5a12cec16ef87f35e69134bfa522386a
SHA256aa367951f76ca413307e745f97640321a46d8d6c20cf27ffb7a259481b576f88
SHA512e06fbd6bf555460dca2b876f44806abbdb8a5d82a92464854cb03f081ac0421ea2803c8caf3f1755494e218eb0b6ef68368da736b2323df9c9dcbd45984e8172
-
Filesize
5KB
MD5d085e0ccf39cf3ffac57ad35db1a2def
SHA136325fface386fee85122cf99e08f92f9f51bc91
SHA2564dc9d93136b25cf7b151c1c035c1e0d518147d1305433486964fe4dc847f36a6
SHA512b93b67e3e1e66b6b7b9fff7cdeff370a3e4a1502b566fe2d9394ec329bb79e081c3cc7bb30db45eebdb1672684d92184fb5e0bef05f5d540f750f41b919d9c5d