dharma | 87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767

General

Target

87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
Size

267KB
MD5

082973ffc65f68aa42aec9bbab90de1b
SHA1

3a3e4616f5e1163a4960cf64cd96a7ad63c48bb8
SHA256

87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767
SHA512

4098c24b84117d54765e763986ec252a64e852f8c34d114d3ec6c8106a49358c283bf829203c1ddd897751381754d9a2849149a33e36ba6a400e34530a3f0bdf

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe = "C:\\Windows\\System32\\87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe"	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1081944012-3634099177-1681222835-1000\desktop.ini	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

Drops file in System32 directory 1 IoCs

Processes:

87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

description	ioc	process
File created	C:\Windows\System32\87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

Drops file in Program Files directory 64 IoCs

Processes:

87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\mr.pak.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\EnablePush.emf	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\id.pak	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\vi.pak.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCalls.c.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkDrop32x32.gif	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\nb.pak.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Content.xml	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.exe.sig.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-US.pak.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\external_extensions.json	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ca.pak.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.ini.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\youtube.crx.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ar.pak	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\tr.pak.id-DF2F9EB7.[telegram_@spacedatax].ROGER	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3552	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1864	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
2856	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
4624	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
5068	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1792	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1104	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
4376	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
792	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
388	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
2996	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
3980	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
3320	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
616	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
2412	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
2500	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
3792	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
3168	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
4684	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
4536	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
4156	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
4556	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
4596	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
3900	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1764	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1804	1288	WerFault.exe	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4196 vssadmin.exe

pid	process
4196	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

pid	process
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3740 vssvc.exe
Token: SeRestorePrivilege 3740 vssvc.exe
Token: SeAuditPrivilege 3740 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3740	vssvc.exe
Token: SeRestorePrivilege	3740	vssvc.exe
Token: SeAuditPrivilege	3740	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.execmd.exe

description	pid	process	target process
PID 1288 wrote to memory of 32	1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe	cmd.exe
PID 1288 wrote to memory of 32	1288	87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe	cmd.exe
PID 32 wrote to memory of 1912	32	cmd.exe	mode.com
PID 32 wrote to memory of 1912	32	cmd.exe	mode.com
PID 32 wrote to memory of 4196	32	cmd.exe	vssadmin.exe
PID 32 wrote to memory of 4196	32	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe
"C:\Users\Admin\AppData\Local\Temp\87bba561f6a0f7cd29f92211be2fe0de2541f6d5ab321e42aeabd8c2de4f5767.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1912

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 520
2⤵
- Program crash
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 588
2⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 524
2⤵
- Program crash
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 604
2⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 596
2⤵
- Program crash
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 688
2⤵
- Program crash
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 732
2⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 760
2⤵
- Program crash
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 784
2⤵
- Program crash
PID:792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 800
2⤵
- Program crash
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 820
2⤵
- Program crash
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 840
2⤵
- Program crash
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 876
2⤵
- Program crash
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 892
2⤵
- Program crash
PID:616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 900
2⤵
- Program crash
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 840
2⤵
- Program crash
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 844
2⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 992
2⤵
- Program crash
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1000
2⤵
- Program crash
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 996
2⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1000
2⤵
- Program crash
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 920
2⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 968
2⤵
- Program crash
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 960
2⤵
- Program crash
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 888
2⤵
- Program crash
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 920
2⤵
- Program crash
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1288 -ip 1288
1⤵
PID:4412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1288 -ip 1288
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1288 -ip 1288
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1288 -ip 1288
1⤵
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1288 -ip 1288
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1288 -ip 1288
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1288 -ip 1288
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1288 -ip 1288
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1288 -ip 1288
1⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1288 -ip 1288
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1288 -ip 1288
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1288 -ip 1288
1⤵
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1288 -ip 1288
1⤵
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1288 -ip 1288
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1288 -ip 1288
1⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1288 -ip 1288
1⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1288 -ip 1288
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1288 -ip 1288
1⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1288 -ip 1288
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1288 -ip 1288
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1288 -ip 1288
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1288 -ip 1288
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1288 -ip 1288
1⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1288 -ip 1288
1⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1288 -ip 1288
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1288 -ip 1288
1⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1288 -ip 1288
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1288 -ip 1288
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/32-133-0x0000000000000000-mapping.dmp

Download
memory/1288-130-0x0000000000C88000-0x0000000000C9C000-memory.dmp

Filesize
80KB

Download
memory/1288-131-0x0000000000DD0000-0x0000000000DE9000-memory.dmp

Filesize
100KB

Download
memory/1288-132-0x0000000000400000-0x0000000000C1C000-memory.dmp

Filesize
8.1MB

Download
memory/1912-134-0x0000000000000000-mapping.dmp

Download
memory/4196-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads