Analysis
-
max time kernel
165s -
max time network
81s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-05-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe
Resource
win10v2004-20220414-en
General
-
Target
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe
-
Size
240KB
-
MD5
7bdd62b697e996cabb3a992be8532971
-
SHA1
3a9052106aa104c96ac3028faa71b09ef7ee5b69
-
SHA256
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4
-
SHA512
fe5568b10cbb97e5122d43e4ad8dfeddc0c09b6c6ae44ff07366a4202fbaedc4d589b36c46419e359a29f6e32cab4849712fafcb635dfc72c82c5f0b3e939651
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe = "C:\\Windows\\System32\\bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe" bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe -
Drops desktop.ini file(s) 12 IoCs
Processes:
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1083475884-596052423-1669053738-1000\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe -
Drops file in System32 directory 1 IoCs
Processes:
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exedescription ioc process File created C:\Windows\System32\bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe -
Drops file in Program Files directory 64 IoCs
Processes:
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\it.pak.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\gadget.xml bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\calendar.html bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152702.WMF bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.ja_5.5.0.165303.jar.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server.jar.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090027.WMF.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\te.pak bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh87 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files\7-Zip\Lang\uk.txt.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\libxml2.dll.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.jpg bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\THMBNAIL.PNG bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprst.dll bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185780.WMF.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files\Java\jre7\bin\java.exe.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack.dll.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\SetPush.rle bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\OrangeCircles.jpg bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00242_.WMF.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00454_.WMF.id-25153A00.[telegram_@spacedatax].ROGER bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1920 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exepid process 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 520 vssvc.exe Token: SeRestorePrivilege 520 vssvc.exe Token: SeAuditPrivilege 520 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.execmd.exedescription pid process target process PID 1760 wrote to memory of 908 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe cmd.exe PID 1760 wrote to memory of 908 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe cmd.exe PID 1760 wrote to memory of 908 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe cmd.exe PID 1760 wrote to memory of 908 1760 bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe cmd.exe PID 908 wrote to memory of 2036 908 cmd.exe mode.com PID 908 wrote to memory of 2036 908 cmd.exe mode.com PID 908 wrote to memory of 2036 908 cmd.exe mode.com PID 908 wrote to memory of 1920 908 cmd.exe vssadmin.exe PID 908 wrote to memory of 1920 908 cmd.exe vssadmin.exe PID 908 wrote to memory of 1920 908 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe"C:\Users\Admin\AppData\Local\Temp\bf7912bd83f3a74062274ff0cedd43c64282f5afaf88e77497673433e1ca07b4.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2036
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1920
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:520
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/908-57-0x0000000000000000-mapping.dmp
-
memory/1760-54-0x000000000030B000-0x000000000031E000-memory.dmpFilesize
76KB
-
memory/1760-55-0x00000000001B0000-0x00000000001C9000-memory.dmpFilesize
100KB
-
memory/1760-56-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1760-60-0x0000000000400000-0x0000000004DB8000-memory.dmpFilesize
73.7MB
-
memory/1920-59-0x0000000000000000-mapping.dmp
-
memory/2036-58-0x0000000000000000-mapping.dmp