Resubmissions
14-02-2024 03:46
240214-ebskgagb2t 1014-02-2024 03:40
240214-d8m6kshc42 1014-02-2024 03:37
240214-d6vgwafh5v 1011-09-2020 08:09
200911-rexcktjp1n 10Analysis
-
max time kernel
152s -
max time network
71s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
11-09-2020 08:09
Static task
static1
Behavioral task
behavioral1
Sample
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe
Resource
win7
Behavioral task
behavioral2
Sample
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe
Resource
win10v200722
General
-
Target
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe
-
Size
92KB
-
MD5
b075d1e9bc442a09f38d91133cd8c900
-
SHA1
8829d9ce9067abb421df21c24b31b5e0ffbf5ca6
-
SHA256
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d
-
SHA512
047d0a3535b33e5058f14c4dee97434278327cd9ffe93b373f23ebbf8e5d02374a5af3526050fd78a1758ef67e95d24b403c5393a1cd9036302ae7eed5705957
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe = "C:\\Windows\\System32\\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe" 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1400429095-533421673-2598934218-1000\desktop.ini 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\desktop.ini 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe -
Drops file in System32 directory 1 IoCs
Processes:
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exedescription ioc process File created C:\Windows\System32\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Drops file in Program Files directory 23379 IoCs
Processes:
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1849_32x32x32.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\SmallTile.scale-100.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-125.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.ELM.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\91.jpg 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1937_24x24x32.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Java\jre1.8.0_66\bin\hprof.dll.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-200.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\toast.dualsim2.scale-200.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\README.txt.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management-agent.jar.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\mcxml\x-none\Word.x-none.msi.16_mondoww.mcxml.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\logo_retina.png.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_hu.jar 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupMedTile.scale-150.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\mcxml\en-us\dcfmui.msi.16_dcfmui.mcxml 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\3416_48x48x32.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.targetsize-32_contrast-black.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\attach.dll.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_iio.dll.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\THMBNAIL.PNG.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\rofl.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5606_20x20x32.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-100.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-pl.xrm-ms.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\commoneffectsassets.xml 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-125.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.scale-200.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Sun.png 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File created C:\Program Files\FormatDebug.wax.id-06C3A0A3.[backmydata@protonmail.com].bmd 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2136 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 576 IoCs
Processes:
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exepid process 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3288 vssvc.exe Token: SeRestorePrivilege 3288 vssvc.exe Token: SeAuditPrivilege 3288 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.execmd.exedescription pid process target process PID 4040 wrote to memory of 2388 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe cmd.exe PID 4040 wrote to memory of 2388 4040 553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe cmd.exe PID 2388 wrote to memory of 412 2388 cmd.exe mode.com PID 2388 wrote to memory of 412 2388 cmd.exe mode.com PID 2388 wrote to memory of 2136 2388 cmd.exe vssadmin.exe PID 2388 wrote to memory of 2136 2388 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe"C:\Users\Admin\AppData\Local\Temp\553532c3bc00e3b85bcbac054bc4f05cb4fffba6f44a17c663dd37732ce1772d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken