dharma | 123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea

General

Target

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
Size

3.7MB
MD5

f5adcc295d58d72e8a3dc5068b89241b
SHA1

a8420f69ae8b8cf95fafe56d4c16b9f01e83e741
SHA256

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea
SHA512

fc4256f79c4c637bd8d0e0eee245ee9a6b789b173314db9f7fc5352e068357cd8fda1f5638af9d0467c3b8f380e8536d9996dc86c74ea84d3703928d4968a651

Score

10^/10

dharma evasion persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

Drops startup file 1 IoCs

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Wine	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe = "C:\\Windows\\System32\\123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe"	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1809750270-3141839489-3074374771-1000\desktop.ini	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\desktop.ini	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

Drops file in System32 directory 1 IoCs

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

description	ioc	process
File created	C:\Windows\System32\123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

pid process

4476 123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

Drops file in Program Files directory 64 IoCs

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\d3dcompiler_47.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\InvokeUninstall.raw.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jvmticmlr.h.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipssrl.xml	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\drive.crx	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprsr.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\CompleteConfirm.mp4.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\desktop.ini	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msader15.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcer.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\libEGL.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\icudtl.dat.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.id-C36EEE4A.[[email protected]].ncov	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4076 vssadmin.exe

pid	process
4076	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

pid	process
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.execmd.exe

description	pid	process	target process
PID 4476 wrote to memory of 4348	4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe	cmd.exe
PID 4476 wrote to memory of 4348	4476	123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe	cmd.exe
PID 4348 wrote to memory of 4340	4348	cmd.exe	mode.com
PID 4348 wrote to memory of 4340	4348	cmd.exe	mode.com
PID 4348 wrote to memory of 4076	4348	cmd.exe	vssadmin.exe
PID 4348 wrote to memory of 4076	4348	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe
"C:\Users\Admin\AppData\Local\Temp\123a5fd056af259f61651556412318f30af49d435a442acc4c79def21aa172ea.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:4340

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4076-136-0x0000000000000000-mapping.dmp

Download
memory/4340-135-0x0000000000000000-mapping.dmp

Download
memory/4348-134-0x0000000000000000-mapping.dmp

Download
memory/4476-130-0x0000000076F40000-0x00000000770E3000-memory.dmp

Filesize
1.6MB

Download
memory/4476-131-0x0000000000400000-0x0000000000C5D000-memory.dmp

Filesize
8.4MB

Download
memory/4476-132-0x000000000CD90000-0x000000000CDC4000-memory.dmp

Filesize
208KB

Download
memory/4476-133-0x0000000000400000-0x0000000000C5D000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads