dharma | e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90

General

Target

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
Size

92KB
MD5

98db57569da8c50de68fb69002c069cb
SHA1

5adf28157d29aae9e0ff25013c0ca084d3fe30c9
SHA256

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90
SHA512

bbcb7051ec432c67b9920e727660d1867bf5067b6a98a2feaaf53d7be6c54aeab68082a27bd7747560a456afd72508d1a35500022d04de7da20e8bdc20ce1ff7

Score

10^/10

persistence ransomware dharma

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe = "C:\\Windows\\System32\\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe"	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1400429095-533421673-2598934218-1000\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\desktop.ini	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Drops file in System32 directory 1 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
File created	C:\Windows\System32\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops file in Program Files directory 32279 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimelessReport.dotx	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunmscapi.jar.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-125_contrast-black.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Peak_Jumper_.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag_retina.png.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\circle_2x.png.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul.xrm-ms	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\DC_HolderUnearned.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\ClrCompression.dll	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-100.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\ui-strings.js	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\SmallTile.scale-125.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-72_altform-unplated.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.boot.tree.dat	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\SplashScreen.scale-100.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\western_13d.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gu_60x42.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6416_20x20x32.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-disabled_32.svg.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ucrtbase.dll.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Microsoft.Packaging.RichJPG.winmd	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\ui-strings.js.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\ui-strings.js	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_TypeTextFields_White@1x.png.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right.gif.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\LargeTile.scale-125.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\javascript_poster.jpg	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-compat.xml.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_ja_4.4.0.v20140623020002.jar	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPageState2\spider_bp_920.jpg	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectWideTile.scale-100.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RTC.der	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File created	C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar.id-08866E7D.[decrypttme@airmail.cc].dme	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-125.png	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1020 vssadmin.exe

pid	process
1020	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 498 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

pid	process
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3956 vssvc.exe
Token: SeRestorePrivilege 3956 vssvc.exe
Token: SeAuditPrivilege 3956 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3956	vssvc.exe
Token: SeRestorePrivilege	3956	vssvc.exe
Token: SeAuditPrivilege	3956	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.execmd.exe

description	pid	process	target process
PID 3816 wrote to memory of 2440	3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 3816 wrote to memory of 2440	3816	e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe	cmd.exe
PID 2440 wrote to memory of 3936	2440	cmd.exe	mode.com
PID 2440 wrote to memory of 3936	2440	cmd.exe	mode.com
PID 2440 wrote to memory of 1020	2440	cmd.exe	vssadmin.exe
PID 2440 wrote to memory of 1020	2440	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe
"C:\Users\Admin\AppData\Local\Temp\e4a43f0bb8216496b95826c2c1aeb2f3ece6a7d87a8dbc7a0cc6a3935ace3d90.bin.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3816