Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
06/03/2025, 19:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe
Resource
win10ltsc2021-20250217-en
phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer
windows10-ltsc 2021-x64
28 signatures
150 seconds
General
-
Target
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe
-
Size
165KB
-
MD5
a2f3d796dc2c2f474188db58d5ca7593
-
SHA1
dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
-
SHA256
408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
-
SHA512
9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c
-
SSDEEP
3072:RONnlLWEFpHEVITy9VG4Req0CFkIOomD7Pp65vOs2C:+lLWcpHuSM3IGFROokP2Om
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\info.hta
Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'>
<html>
<head>
<meta charset='windows-1251'>
<title>cartilage</title>
<HTA:APPLICATION
ICON='msiexec.exe'
SINGLEINSTANCE='yes'
SysMenu="no">
<script language='JScript'>
window.moveTo(50, 50);
window.resizeTo(screen.width - 100, screen.height - 100);
</script>
<style type='text/css'>
body {
font: 15px Tahoma, sans-serif;
margin: 10px;
line-height: 25px;
background: #C6B5C4;
}
img {
display:inline-block;
}
.bold {
font-weight: bold;
}
.mark {
background: #B5CC8E;
padding: 2px 5px;
}
.header {
text-align: center;
font-size: 30px;
line-height: 50px;
font-weight: bold;
margin-bottom:20px;
}
.info {
background: #e6ecf2;
border-left: 10px solid #B58CB2;
}
.alert {
background: #FFE4E4;
border-left: 10px solid #FFA07A;
}
.private {
border: 1px dashed #000;
background: #FFFFEF;
}
.note {
height: auto;
padding-bottom: 1px;
margin: 15px 0;
}
.note .title {
font-weight: bold;
text-indent: 10px;
height: 30px;
line-height: 30px;
padding-top: 10px;
}
.note .mark {
background: #A2A2B5;
}
.note ul {
margin-top: 0;
}
.note pre {
margin-left: 15px;
line-height: 13px;
font-size: 13px;
}
.footer {
position:fixed;
bottom:0;
right:0;
text-align: right;
}
</style>
</head>
<body>
<div class='header'>
<img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='>
<div>All your files have been encrypted!</div>
</div>
<div class='bold'>All your files have been encrypted due to a security problem with your PC.</div>
<div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div>
<div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div>
<div class='bold'>Write this ID in the title of your message <span class='mark'>5380384C-3483</span></div>
<div>
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
</div>
<div class='note info'>
<div class='title'>Free decryption as guarantee</div>
<ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul>
</div>
<div class='note info'>
<div class='title'>How to obtain Bitcoins</div>
<ul>
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
<br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a>
<br> Also you can find other places to buy Bitcoins and beginners guide here:
<br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a>
</ul>
</div>
<div class='note alert'>
<div class='title'>Attention!</div>
<ul>
<li>Do not rename encrypted files.</li>
<li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li>
<li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li>
</ul>
</div>
</body>
</html>
Emails
class='mark'>[email protected]</span></div>
URLs
http://www.w3.org/TR/html4/strict.dtd'>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Phobos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2488 bcdedit.exe 1600 bcdedit.exe 3684 bcdedit.exe 308 bcdedit.exe -
Renames multiple (651) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2544 wbadmin.exe 628 wbadmin.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1928 netsh.exe 928 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\Control Panel\International\Geo\Nation 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c = "C:\\Users\\Admin\\AppData\\Local\\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe" 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c = "C:\\Users\\Admin\\AppData\\Local\\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe" 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Public\Music\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-983685854-559653692-675906587-1000\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Public\Videos\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Public\Documents\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Links\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Public\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Music\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened (read-only) \??\F: mshta.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Trust Protection Lists\Mu\LICENSE.DATA.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.NETCore.App.runtimeconfig.json 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\ui-strings.js 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdateres_en.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\ui-strings.js.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vccorlib140.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\ImagingDevices.exe.mui 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.schema.mfl.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Requests.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-default_32.svg 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\mfc140u.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\ui-strings.js.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\ui-strings.js 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\ui-strings.js.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_unselected_18.svg.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\TabTip32.exe.mui 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationClient.resources.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msolui.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyFolder_160.svg 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\sqmapi.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.Design.resources.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.Misc.v8.1.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files\Microsoft Office\root\vreg\onenote.x-none.msi.16.x-none.vreg.dat.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libscte18_plugin.dll 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\preloaded_data.pb.DATA.id[5380384C-3483].[[email protected]].8base 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 3252 4436 WerFault.exe 87 660 4436 WerFault.exe 87 4604 4436 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4516 vssadmin.exe 3228 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-983685854-559653692-675906587-1000_Classes\Local Settings 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 3988 WMIC.exe 3988 WMIC.exe 3988 WMIC.exe 3988 WMIC.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe Token: SeBackupPrivilege 4968 vssvc.exe Token: SeRestorePrivilege 4968 vssvc.exe Token: SeAuditPrivilege 4968 vssvc.exe Token: SeIncreaseQuotaPrivilege 3988 WMIC.exe Token: SeSecurityPrivilege 3988 WMIC.exe Token: SeTakeOwnershipPrivilege 3988 WMIC.exe Token: SeLoadDriverPrivilege 3988 WMIC.exe Token: SeSystemProfilePrivilege 3988 WMIC.exe Token: SeSystemtimePrivilege 3988 WMIC.exe Token: SeProfSingleProcessPrivilege 3988 WMIC.exe Token: SeIncBasePriorityPrivilege 3988 WMIC.exe Token: SeCreatePagefilePrivilege 3988 WMIC.exe Token: SeBackupPrivilege 3988 WMIC.exe Token: SeRestorePrivilege 3988 WMIC.exe Token: SeShutdownPrivilege 3988 WMIC.exe Token: SeDebugPrivilege 3988 WMIC.exe Token: SeSystemEnvironmentPrivilege 3988 WMIC.exe Token: SeRemoteShutdownPrivilege 3988 WMIC.exe Token: SeUndockPrivilege 3988 WMIC.exe Token: SeManageVolumePrivilege 3988 WMIC.exe Token: 33 3988 WMIC.exe Token: 34 3988 WMIC.exe Token: 35 3988 WMIC.exe Token: 36 3988 WMIC.exe Token: SeIncreaseQuotaPrivilege 3988 WMIC.exe Token: SeSecurityPrivilege 3988 WMIC.exe Token: SeTakeOwnershipPrivilege 3988 WMIC.exe Token: SeLoadDriverPrivilege 3988 WMIC.exe Token: SeSystemProfilePrivilege 3988 WMIC.exe Token: SeSystemtimePrivilege 3988 WMIC.exe Token: SeProfSingleProcessPrivilege 3988 WMIC.exe Token: SeIncBasePriorityPrivilege 3988 WMIC.exe Token: SeCreatePagefilePrivilege 3988 WMIC.exe Token: SeBackupPrivilege 3988 WMIC.exe Token: SeRestorePrivilege 3988 WMIC.exe Token: SeShutdownPrivilege 3988 WMIC.exe Token: SeDebugPrivilege 3988 WMIC.exe Token: SeSystemEnvironmentPrivilege 3988 WMIC.exe Token: SeRemoteShutdownPrivilege 3988 WMIC.exe Token: SeUndockPrivilege 3988 WMIC.exe Token: SeManageVolumePrivilege 3988 WMIC.exe Token: 33 3988 WMIC.exe Token: 34 3988 WMIC.exe Token: 35 3988 WMIC.exe Token: 36 3988 WMIC.exe Token: SeBackupPrivilege 4988 wbengine.exe Token: SeRestorePrivilege 4988 wbengine.exe Token: SeSecurityPrivilege 4988 wbengine.exe Token: SeIncreaseQuotaPrivilege 4644 WMIC.exe Token: SeSecurityPrivilege 4644 WMIC.exe Token: SeTakeOwnershipPrivilege 4644 WMIC.exe Token: SeLoadDriverPrivilege 4644 WMIC.exe Token: SeSystemProfilePrivilege 4644 WMIC.exe Token: SeSystemtimePrivilege 4644 WMIC.exe Token: SeProfSingleProcessPrivilege 4644 WMIC.exe Token: SeIncBasePriorityPrivilege 4644 WMIC.exe Token: SeCreatePagefilePrivilege 4644 WMIC.exe Token: SeBackupPrivilege 4644 WMIC.exe Token: SeRestorePrivilege 4644 WMIC.exe Token: SeShutdownPrivilege 4644 WMIC.exe Token: SeDebugPrivilege 4644 WMIC.exe Token: SeSystemEnvironmentPrivilege 4644 WMIC.exe Token: SeRemoteShutdownPrivilege 4644 WMIC.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4688 wrote to memory of 3840 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 90 PID 4688 wrote to memory of 3840 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 90 PID 4688 wrote to memory of 1800 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 91 PID 4688 wrote to memory of 1800 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 91 PID 1800 wrote to memory of 928 1800 cmd.exe 97 PID 1800 wrote to memory of 928 1800 cmd.exe 97 PID 3840 wrote to memory of 4516 3840 cmd.exe 98 PID 3840 wrote to memory of 4516 3840 cmd.exe 98 PID 1800 wrote to memory of 1928 1800 cmd.exe 103 PID 1800 wrote to memory of 1928 1800 cmd.exe 103 PID 3840 wrote to memory of 3988 3840 cmd.exe 105 PID 3840 wrote to memory of 3988 3840 cmd.exe 105 PID 3840 wrote to memory of 2488 3840 cmd.exe 108 PID 3840 wrote to memory of 2488 3840 cmd.exe 108 PID 3840 wrote to memory of 1600 3840 cmd.exe 109 PID 3840 wrote to memory of 1600 3840 cmd.exe 109 PID 3840 wrote to memory of 2544 3840 cmd.exe 110 PID 3840 wrote to memory of 2544 3840 cmd.exe 110 PID 4688 wrote to memory of 2044 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 117 PID 4688 wrote to memory of 2044 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 117 PID 4688 wrote to memory of 2044 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 117 PID 4688 wrote to memory of 2628 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 118 PID 4688 wrote to memory of 2628 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 118 PID 4688 wrote to memory of 2628 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 118 PID 4688 wrote to memory of 4584 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 119 PID 4688 wrote to memory of 4584 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 119 PID 4688 wrote to memory of 4584 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 119 PID 4688 wrote to memory of 2464 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 120 PID 4688 wrote to memory of 2464 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 120 PID 4688 wrote to memory of 2464 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 120 PID 4688 wrote to memory of 2420 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 121 PID 4688 wrote to memory of 2420 4688 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe 121 PID 2420 wrote to memory of 3228 2420 cmd.exe 123 PID 2420 wrote to memory of 3228 2420 cmd.exe 123 PID 2420 wrote to memory of 4644 2420 cmd.exe 124 PID 2420 wrote to memory of 4644 2420 cmd.exe 124 PID 2420 wrote to memory of 3684 2420 cmd.exe 125 PID 2420 wrote to memory of 3684 2420 cmd.exe 125 PID 2420 wrote to memory of 308 2420 cmd.exe 126 PID 2420 wrote to memory of 308 2420 cmd.exe 126 PID 2420 wrote to memory of 628 2420 cmd.exe 127 PID 2420 wrote to memory of 628 2420 cmd.exe 127 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe"C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe"C:\Users\Admin\AppData\Local\Temp\408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c.exe"2⤵PID:4436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 4963⤵
- Program crash
PID:3252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 5043⤵
- Program crash
PID:660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 5403⤵
- Program crash
PID:4604
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4516
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2488
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:1600
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2544
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:928
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1928
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:2044
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:2628
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:4584
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2464
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3228
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:3684
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:308
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:628
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4436 -ip 44361⤵PID:3980
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4436 -ip 44361⤵PID:4416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4436 -ip 44361⤵PID:2100
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4988
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3180
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1212
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
3File Deletion
3Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id[5380384C-3483].[[email protected]].8base
Filesize3.6MB
MD5841c21e94b6e81780673833973d12495
SHA1a8df8d1466f5208ea4579637c6e49dff1d7c161d
SHA25648f179464e07f90e72812a8a19e5ef444a65f9fe5572224403826f97483f17b3
SHA5123e25e190cd56f0c0aad11ff7dc792e077135d181274fbfbeb7ed65703b2592b182f17e441a70f965508ddfed0715421d668b7b260530ab4962431871037ea00a
-
Filesize
5KB
MD50e068a963fbe96926b5e1d7767aea8f8
SHA18405474ffd306a77ac768457bb738dbcf8047cd0
SHA256d0d572098a0f48f36770065e1808f358aaee006cfe9048ec96b1725606849cd9
SHA512b2613a55be8af5458177b3a475eb4bea6fea4aa0ba1b847979c4039f457d11166dde9e18ec3aa73243ab907cf2e674765c759942f84ac321e38449e4c35a605e