Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
06/03/2025, 21:07
Static task
static1
Behavioral task
behavioral1
Sample
fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe
Resource
win11-20250217-en
General
-
Target
fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe
-
Size
70KB
-
MD5
760b7e6a810644e590d70673b6f5e63a
-
SHA1
f60f8a4a666d7c3226f30dddfe69472e1a88b579
-
SHA256
fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638
-
SHA512
8a583dc0e81b4e67053c3175fa29ab7042dbc621cbe7181a3bbfbc7661d6faea3b8be1a1fdcd968fcc388c94394de9858ec537c479c19f9878a831a20ddffd83
-
SSDEEP
1536:cFOPbkyoTwtPto0Rl0DsN9/zLec5oGFACZrqdKaNSEjrZKk:cYPxAwtPtoe/zLaGmCZrqcaYEjrZK
Malware Config
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span></div>
class='mark'>[email protected]</span>
http://www.w3.org/TR/html4/strict.dtd'>
https://pidgin.im/download/windows/</li>
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Phobos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (70) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 780 netsh.exe 2168 netsh.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 3 IoCs
description ioc Process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[B9467A40-0001].[[email protected]].phobos fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638 = "C:\\Users\\Admin\\AppData\\Local\\fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe" fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000\Software\Microsoft\Windows\CurrentVersion\Run\fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638 = "C:\\Users\\Admin\\AppData\\Local\\fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe" fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Public\Pictures\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Music\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Links\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Public\Downloads\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298619118-249045975-4264763259-1000\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Public\Desktop\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Public\Videos\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Documents\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1298619118-249045975-4264763259-1000\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Videos\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Public\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Public\Documents\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Public\Music\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Public\Libraries\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Admin\Searches\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 952 vssadmin.exe 3160 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2324 vssvc.exe Token: SeRestorePrivilege 2324 vssvc.exe Token: SeAuditPrivilege 2324 vssvc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2912 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 83 PID 2592 wrote to memory of 2912 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 83 PID 2592 wrote to memory of 3324 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 84 PID 2592 wrote to memory of 3324 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 84 PID 2912 wrote to memory of 952 2912 cmd.exe 87 PID 2912 wrote to memory of 952 2912 cmd.exe 87 PID 3324 wrote to memory of 780 3324 cmd.exe 88 PID 3324 wrote to memory of 780 3324 cmd.exe 88 PID 3324 wrote to memory of 2168 3324 cmd.exe 91 PID 3324 wrote to memory of 2168 3324 cmd.exe 91 PID 2592 wrote to memory of 392 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 93 PID 2592 wrote to memory of 392 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 93 PID 2592 wrote to memory of 392 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 93 PID 2592 wrote to memory of 4732 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 94 PID 2592 wrote to memory of 4732 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 94 PID 2592 wrote to memory of 4732 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 94 PID 2592 wrote to memory of 1120 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 95 PID 2592 wrote to memory of 1120 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 95 PID 2592 wrote to memory of 1120 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 95 PID 2592 wrote to memory of 4364 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 96 PID 2592 wrote to memory of 4364 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 96 PID 2592 wrote to memory of 4364 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 96 PID 2592 wrote to memory of 4704 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 97 PID 2592 wrote to memory of 4704 2592 fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe 97 PID 4704 wrote to memory of 3160 4704 cmd.exe 99 PID 4704 wrote to memory of 3160 4704 cmd.exe 99 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe"C:\Users\Admin\AppData\Local\Temp\fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe"C:\Users\Admin\AppData\Local\Temp\fe1b479880db7637fc96d334f216e5e966879a77fac1b85d1fd892a050fbe638.exe"2⤵PID:4936
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:952
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:780
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2168
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:392
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:4732
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:1120
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- System Location Discovery: System Language Discovery
PID:4364
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3160
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2324
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD504f1930161622dbd27669c32bdcbb75d
SHA1f96f03404696f0fbf709545659f48ba35d48aaaa
SHA256f6de07d0e710f629de4fc57cdac8a047130105f967c4f995adac14418c197a20
SHA51268c9f08fa531ec1ba1bb26e46ce1ac75872ff0f29e7b79fc78c8e1301f5091be058548e5fe2e83e796b1f70dc9132dd8afe0a153c35d1f9ab66b6687f248b89e