dharma | 55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d

General

Target

55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
Size

92KB
MD5

050f90d26e4490b3930d4ca9ac45d26b
SHA1

612d6d7a40229e45152dbd8a3563b2b28c809565
SHA256

55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d
SHA512

6d5f41e812a35b050e571530668cdf89b22390d6cda58c0511c754ee7ec56b2f7e0c683f946a8dc67265c0d14823d39a1a9057b310556b51290e36ccd3e429c7

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe = "C:\\Windows\\System32\\55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe"	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3751123196-3323558407-1869646069-1000\desktop.ini	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\desktop.ini	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

Drops file in System32 directory 1 IoCs

Processes:

55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

description	ioc	process
File created	C:\Windows\System32\55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

Drops file in Program Files directory 64 IoCs

Processes:

55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WideTile.scale-100.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\ui-strings.js.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\EmptyStoryCover.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-300.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSI.TTF.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-125.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsLargeTile.scale-200.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\ui-strings.js.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\CallAction-AdaptiveCard.json	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-pl.xrm-ms.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-80.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-200.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-200.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-200.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsymxb.ttf	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-200.png	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_unselected_18.svg.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.id-437896C7.[[email protected]].arrow	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4864 vssadmin.exe

pid	process
4864	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

pid	process
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 4796 vssvc.exe
Token: SeRestorePrivilege 4796 vssvc.exe
Token: SeAuditPrivilege 4796 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	4796	vssvc.exe
Token: SeRestorePrivilege	4796	vssvc.exe
Token: SeAuditPrivilege	4796	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.execmd.exe

description	pid	process	target process
PID 920 wrote to memory of 4724	920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe	cmd.exe
PID 920 wrote to memory of 4724	920	55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe	cmd.exe
PID 4724 wrote to memory of 752	4724	cmd.exe	mode.com
PID 4724 wrote to memory of 752	4724	cmd.exe	mode.com
PID 4724 wrote to memory of 4864	4724	cmd.exe	vssadmin.exe
PID 4724 wrote to memory of 4864	4724	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe
"C:\Users\Admin\AppData\Local\Temp\55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4724
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:752
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-131-0x0000000000000000-mapping.dmp

Download
memory/4724-130-0x0000000000000000-mapping.dmp

Download
memory/4864-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads