Analysis
-
max time kernel
152s -
max time network
124s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
16-10-2020 16:39
Static task
static1
Behavioral task
behavioral1
Sample
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
Resource
win10v200722
General
-
Target
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
-
Size
92KB
-
MD5
98db57569da8c50de68fb69002c069cb
-
SHA1
5adf28157d29aae9e0ff25013c0ca084d3fe30c9
-
SHA256
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90
-
SHA512
bbcb7051ec432c67b9920e727660d1867bf5067b6a98a2feaaf53d7be6c54aeab68082a27bd7747560a456afd72508d1a35500022d04de7da20e8bdc20ce1ff7
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe = "C:\\Windows\\System32\\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe" e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1400429095-533421673-2598934218-1000\desktop.ini e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\desktop.ini e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe -
Drops file in System32 directory 1 IoCs
Processes:
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exedescription ioc process File created C:\Windows\System32\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Drops file in Program Files directory 32279 IoCs
Processes:
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimelessReport.dotx e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunmscapi.jar.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-black.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Peak_Jumper_.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Windows Defender\MsMpLics.dll e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag_retina.png.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledb32r.dll e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\DC_HolderUnearned.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ClrCompression.dll e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-100.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\ui-strings.js e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\SmallTile.scale-125.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-72_altform-unplated.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.boot.tree.dat e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\SplashScreen.scale-100.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13d.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gu_60x42.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_20x20x32.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-disabled_32.svg.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\ucrtbase.dll.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Microsoft.Packaging.RichJPG.winmd e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\ui-strings.js e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_TypeTextFields_White@1x.png.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right.gif.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\LargeTile.scale-125.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\javascript_poster.jpg e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-compat.xml.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\spider_bp_920.jpg e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectWideTile.scale-100.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File created C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar.id-08866E7D.[decrypttme@airmail.cc].dme e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-125.png e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1020 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 498 IoCs
Processes:
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exepid process 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3956 vssvc.exe Token: SeRestorePrivilege 3956 vssvc.exe Token: SeAuditPrivilege 3956 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.execmd.exedescription pid process target process PID 3816 wrote to memory of 2440 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe cmd.exe PID 3816 wrote to memory of 2440 3816 e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe cmd.exe PID 2440 wrote to memory of 3936 2440 cmd.exe mode.com PID 2440 wrote to memory of 3936 2440 cmd.exe mode.com PID 2440 wrote to memory of 1020 2440 cmd.exe vssadmin.exe PID 2440 wrote to memory of 1020 2440 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe"C:\Users\Admin\AppData\Local\Temp\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken