dharma | e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90

General

Target

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
Size

92KB
MD5

98db57569da8c50de68fb69002c069cb
SHA1

5adf28157d29aae9e0ff25013c0ca084d3fe30c9
SHA256

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90
SHA512

bbcb7051ec432c67b9920e727660d1867bf5067b6a98a2feaaf53d7be6c54aeab68082a27bd7747560a456afd72508d1a35500022d04de7da20e8bdc20ce1ff7

Score

10^/10

ransomware dharma persistence spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Ransom Note

all your data has been locked us You want to return? write email decrypttme@airmail.cc or decryptttme@protonmail.com

Emails

decrypttme@airmail.cc

decryptttme@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email decrypttme@airmail.cc YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: decryptttme@protonmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

decrypttme@airmail.cc

decryptttme@protonmail.com

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\InstallRedo.tiff	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Drops startup file 5 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe = "C:\\Windows\\System32\\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe"	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Drops desktop.ini file(s) 77 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V8SX06NR\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TGVUK4BG\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OLSU73OI\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AJM03J3Y\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1MJ70CPH\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GVV7BJHB\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Drops file in System32 directory 2 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
File created	C:\Windows\System32\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Windows\System32\Info.hta	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 27834 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00703L.GIF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libantiflicker_plugin.dll	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\LEVEL\LEVEL.ELM	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Common Files\Microsoft Shared\THEMES14\SONORA\SONORA.INF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\IN00346_.WMF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\SNIPE.POC	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VSTAClientPkgUI.dll	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0185776.WMF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpcore_4.2.5.v201311072007.jar.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql90.xsl.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javafx.properties.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152694.WMF	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DigSig.api.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\setup_wm.exe.mui	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00768_.WMF	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sawindbg.dll.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0188519.WMF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0229385.WMF	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\PROOF\MSLID.DLL	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\handsafe.reg	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0215210.WMF	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\BCSClient.Msg.dll.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\WATER\WATER.ELM	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\47.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21481_.GIF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Perspective.eftx.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107314.WMF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE05665_.WMF	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0278882.WMF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107314.WMF.id-264CC781.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18221_.WMF	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1752 vssadmin.exe
1672 vssadmin.exe

pid	process
1752	vssadmin.exe
1672	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 250 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

pid	process
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1608 vssvc.exe
Token: SeRestorePrivilege 1608 vssvc.exe
Token: SeAuditPrivilege 1608 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1608	vssvc.exe
Token: SeRestorePrivilege	1608	vssvc.exe
Token: SeAuditPrivilege	1608	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.execmd.execmd.exe

description	pid	process	target process
PID 672 wrote to memory of 1760	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 672 wrote to memory of 1760	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 672 wrote to memory of 1760	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 672 wrote to memory of 1760	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 1760 wrote to memory of 1840	1760	cmd.exe	mode.com
PID 1760 wrote to memory of 1840	1760	cmd.exe	mode.com
PID 1760 wrote to memory of 1840	1760	cmd.exe	mode.com
PID 1760 wrote to memory of 1752	1760	cmd.exe	vssadmin.exe
PID 1760 wrote to memory of 1752	1760	cmd.exe	vssadmin.exe
PID 1760 wrote to memory of 1752	1760	cmd.exe	vssadmin.exe
PID 672 wrote to memory of 1596	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 672 wrote to memory of 1596	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 672 wrote to memory of 1596	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 672 wrote to memory of 1596	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 1596 wrote to memory of 1824	1596	cmd.exe	mode.com
PID 1596 wrote to memory of 1824	1596	cmd.exe	mode.com
PID 1596 wrote to memory of 1824	1596	cmd.exe	mode.com
PID 1596 wrote to memory of 1672	1596	cmd.exe	vssadmin.exe
PID 1596 wrote to memory of 1672	1596	cmd.exe	vssadmin.exe
PID 1596 wrote to memory of 1672	1596	cmd.exe	vssadmin.exe
PID 672 wrote to memory of 1980	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	mshta.exe
PID 672 wrote to memory of 1980	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	mshta.exe
PID 672 wrote to memory of 1980	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	mshta.exe
PID 672 wrote to memory of 1980	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	mshta.exe
PID 672 wrote to memory of 1184	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	mshta.exe
PID 672 wrote to memory of 1184	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	mshta.exe
PID 672 wrote to memory of 1184	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	mshta.exe
PID 672 wrote to memory of 1184	672	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
"C:\Users\Admin\AppData\Local\Temp\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1840

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1752

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1824

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1672

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:1980

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:1184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1608

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
96f2bad7ea8079782ec4c79e70882c59

SHA1
b466b13a82231e5380540117635b00adc409e339

SHA256
7953f7bd8f59b19e056548477acd0363b65325b125402ae072a8e87633e1eb93

SHA512
4bcf83c27a0e9cc373a7afc18dea4f45f9181af90c0f208957b7122d5c34dda037a89d04dfb869dbe8f3399eb4dafbbdde6268d2bf2156c78749d166f31fddb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
96f2bad7ea8079782ec4c79e70882c59

SHA1
b466b13a82231e5380540117635b00adc409e339

SHA256
7953f7bd8f59b19e056548477acd0363b65325b125402ae072a8e87633e1eb93

SHA512
4bcf83c27a0e9cc373a7afc18dea4f45f9181af90c0f208957b7122d5c34dda037a89d04dfb869dbe8f3399eb4dafbbdde6268d2bf2156c78749d166f31fddb1

Download Submit
memory/1184-7-0x0000000000000000-mapping.dmp

Download
memory/1528-10-0x000007FEF7AF0000-0x000007FEF7D6A000-memory.dmp

Filesize
2.5MB

Download
memory/1596-3-0x0000000000000000-mapping.dmp

Download
memory/1672-5-0x0000000000000000-mapping.dmp

Download
memory/1752-2-0x0000000000000000-mapping.dmp

Download
memory/1760-0-0x0000000000000000-mapping.dmp

Download
memory/1824-4-0x0000000000000000-mapping.dmp

Download
memory/1840-1-0x0000000000000000-mapping.dmp

Download
memory/1980-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads