dharma | d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb

General

Target

d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
Size

140KB
MD5

8b27c925e572714653a2275bd3e53010
SHA1

d00ebd3241cbc8785bb9360686c7a67745651b6f
SHA256

d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb
SHA512

605872bd214a51bed966898a772650b507525e79221e3d75658dbaebd8c570f00ed74551744b48d2dc6b268b69ba87b8859f39aea74fdc1a15fa01a7a308ca00

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to Telegram:@pexdata - our telegram contact or http://pexdatax.com/ or email [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

URLs

http://pexdatax.com/

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 4 IoCs

Processes:

d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe = "C:\\Windows\\System32\\d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe"	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Public\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1346565761-3498240568-4147300184-1000\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

Drops file in System32 directory 1 IoCs

Processes:

d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

description	ioc	process
File created	C:\Windows\System32\d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

Drops file in Program Files directory 64 IoCs

Processes:

d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\net.dll.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\th_get.svg.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\setup_wm.exe.mui	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-72.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-150.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_CatEye.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-40.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-ul-oob.xrm-ms	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated_contrast-white.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BSSYM7.TTF.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\TabTip32.exe.mui	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\ui-strings.js.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Stable.msix.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-32.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookMedTile.scale-100.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunchdlg.html	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\ui-strings.js.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-20.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-100.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\ui-strings.js.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionLargeTile.scale-125.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\index.html	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-200.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-24_altform-unplated_contrast-black.png	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\AXIS.ELM.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SpeedSelectionSlider.xbf	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pa.pak.DATA.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-pl.xrm-ms	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.55\msedgeupdateres_ug.dll.id-C1A55723.[[email protected]].ROGER	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

428 vssadmin.exe
1256 vssadmin.exe

pid	process
428	vssadmin.exe
1256	vssadmin.exe

Modifies registry class 3 IoCs

Processes:

SearchApp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

pid	process
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3080 vssvc.exe
Token: SeRestorePrivilege 3080 vssvc.exe
Token: SeAuditPrivilege 3080 vssvc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchApp.exe

pid process

2620 SearchApp.exe

description	pid	process
Token: SeBackupPrivilege	3080	vssvc.exe
Token: SeRestorePrivilege	3080	vssvc.exe
Token: SeAuditPrivilege	3080	vssvc.exe

pid	process
2620	SearchApp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.execmd.exe

description	pid	process	target process
PID 2608 wrote to memory of 4496	2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe	cmd.exe
PID 2608 wrote to memory of 4496	2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe	cmd.exe
PID 4496 wrote to memory of 1296	4496	cmd.exe	mode.com
PID 4496 wrote to memory of 1296	4496	cmd.exe	mode.com
PID 4496 wrote to memory of 428	4496	cmd.exe	vssadmin.exe
PID 4496 wrote to memory of 428	4496	cmd.exe	vssadmin.exe
PID 2608 wrote to memory of 276	2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe	cmd.exe
PID 2608 wrote to memory of 276	2608	d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe
"C:\Users\Admin\AppData\Local\Temp\d4685c27c59c0a4cdf73553631692f4219901428ce53b92699770459bfcd0afb.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:1296
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:428
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:276
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:3980
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1256
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:4508
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
7KB

MD5
d209f6037dd41d512429914ef112a3d8

SHA1
101063e47398244f2658fa0ec050a6168b5476a2

SHA256
8be783548f9e392077221ff57208dfe506de437f0b831bdfac51266261956368

SHA512
421929266296fde80c4d04ff0d996eba86b5d9803b0f21581927585339a0d7e382c303b10f9fd2adad6f0f6182bb911bf691f8f8ca9815638f762f292be2708a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
7KB

MD5
d209f6037dd41d512429914ef112a3d8

SHA1
101063e47398244f2658fa0ec050a6168b5476a2

SHA256
8be783548f9e392077221ff57208dfe506de437f0b831bdfac51266261956368

SHA512
421929266296fde80c4d04ff0d996eba86b5d9803b0f21581927585339a0d7e382c303b10f9fd2adad6f0f6182bb911bf691f8f8ca9815638f762f292be2708a

Download Submit
memory/276-137-0x0000000000000000-mapping.dmp

Download
memory/428-136-0x0000000000000000-mapping.dmp

Download
memory/540-145-0x0000000000000000-mapping.dmp

Download
memory/1256-139-0x0000000000000000-mapping.dmp

Download
memory/1296-134-0x0000000000000000-mapping.dmp

Download
memory/2608-135-0x0000000000400000-0x0000000002FAD000-memory.dmp

Filesize
43.7MB

Download
memory/2608-130-0x0000000003279000-0x000000000328C000-memory.dmp

Filesize
76KB

Download
memory/2608-133-0x0000000003240000-0x0000000003259000-memory.dmp

Filesize
100KB

Download
memory/2608-132-0x0000000003279000-0x000000000328C000-memory.dmp

Filesize
76KB

Download
memory/3980-138-0x0000000000000000-mapping.dmp

Download
memory/4496-131-0x0000000000000000-mapping.dmp

Download
memory/4508-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads