dharma | 63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8

General

Target

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
Size

446KB
MD5

2cd0b38ee73521578c487b744606c63c
SHA1

9fa52716f72d2950acbbcdc63fb8521cd85e9440
SHA256

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8
SHA512

0ec80eb5d7f41b50c30e2d6211830a27afa37a686cf3b32c7e44aa1ed4461641ff25493299e9493abd7c618e650bf0f0ec71acb637e18ec9f3c671c628920b3e

Score

10^/10

dharma persistence ransomware spyware stealer upx

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4548-130-0x0000000000400000-0x0000000000530000-memory.dmp	upx
behavioral2/memory/4548-131-0x0000000000400000-0x0000000000530000-memory.dmp	upx
behavioral2/memory/4548-141-0x0000000000400000-0x0000000000530000-memory.dmp	upx

Drops startup file 5 IoCs

Processes:

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe = "C:\\Windows\\System32\\63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe"	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1101907861-274115917-2188613224-1000\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Public\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

Drops file in System32 directory 1 IoCs

Processes:

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

description	ioc	process
File created	C:\Windows\System32\63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

description	pid	process	target process
PID 4548 set thread context of 632	4548	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

Drops file in Program Files directory 64 IoCs

Processes:

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\ui-strings.js	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\common.lua	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\THMBNAIL.PNG	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\PlayStore_icon.svg	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\lb.pak.DATA.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-selector.js.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-pl.xrm-ms.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\ui-strings.js.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font_t2k.dll.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\PREVIEW.GIF	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-200.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_listview_18.svg.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\officestoragehost.dll.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ul-oob.xrm-ms.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\179.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-100.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-60_altform-unplated.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.dll.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-96_altform-unplated_contrast-black.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\A12_Spinner_int_2x.gif.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.Edm.NetFX35.dll	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\ui-strings.js	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\msproof7imm.dll	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ro.pak	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\ui-strings.js	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\AppStore_icon.svg.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\CompleteCheckmark.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinChart.v11.1.dll.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\msedge_100_percent.pak.DATA.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up-pressed.gif	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.INF.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-pl.xrm-ms	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-400.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sybase.xsl.id-2BA40E52.[admin@datastex.club].ROGER	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_altform-unplated_contrast-white.png	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4884 vssadmin.exe
4120 vssadmin.exe

pid	process
4884	vssadmin.exe
4120	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

pid	process
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exevssvc.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4548	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
Token: SeBackupPrivilege	3932	vssvc.exe
Token: SeRestorePrivilege	3932	vssvc.exe
Token: SeAuditPrivilege	3932	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.execmd.execmd.exe

description	pid	process	target process
PID 4548 wrote to memory of 632	4548	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
PID 4548 wrote to memory of 632	4548	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
PID 4548 wrote to memory of 632	4548	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
PID 4548 wrote to memory of 632	4548	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
PID 632 wrote to memory of 5096	632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	cmd.exe
PID 632 wrote to memory of 5096	632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	cmd.exe
PID 5096 wrote to memory of 2680	5096	cmd.exe	mode.com
PID 5096 wrote to memory of 2680	5096	cmd.exe	mode.com
PID 5096 wrote to memory of 4884	5096	cmd.exe	vssadmin.exe
PID 5096 wrote to memory of 4884	5096	cmd.exe	vssadmin.exe
PID 632 wrote to memory of 3264	632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	cmd.exe
PID 632 wrote to memory of 3264	632	63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe	cmd.exe
PID 3264 wrote to memory of 2204	3264	cmd.exe	mode.com
PID 3264 wrote to memory of 2204	3264	cmd.exe	mode.com
PID 3264 wrote to memory of 4120	3264	cmd.exe	vssadmin.exe
PID 3264 wrote to memory of 4120	3264	cmd.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
"C:\Users\Admin\AppData\Local\Temp\63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
C:\Users\Admin\AppData\Local\Temp\63ec7434b06bed61e4029a8592a3be46bf59a533ca7fc44b43486a509d0995c8.exe
2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:2680

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4884

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3264

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:2204

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\logs\myeasylog.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/632-133-0x0000000000000000-mapping.dmp

Download
memory/632-134-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/632-139-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2204-146-0x0000000000000000-mapping.dmp

Download
memory/2680-142-0x0000000000000000-mapping.dmp

Download
memory/3264-145-0x0000000000000000-mapping.dmp

Download
memory/4120-147-0x0000000000000000-mapping.dmp

Download
memory/4548-131-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4548-132-0x0000000000630000-0x0000000000663000-memory.dmp

Filesize
204KB

Download
memory/4548-141-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4548-130-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4884-143-0x0000000000000000-mapping.dmp

Download
memory/5096-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads