Analysis
-
max time kernel
155s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 09:54
Behavioral task
behavioral1
Sample
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe
Resource
win10v2004-20220812-en
General
-
Target
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe
-
Size
1.9MB
-
MD5
f09a781eeb97acf68c8c1783e76c29e6
-
SHA1
ec2b7eebfcbf263424ae194817060eac44c380c7
-
SHA256
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64
-
SHA512
972fc4759d344c3eab157fe8bb345596592895ab9d27546961a93047142e8236dd876f3449a9f60dd5eb93a54035dcd3d7c8d70d468e3233341bfa4d674cfa64
-
SSDEEP
49152:jL7kITp6hTJEfHdQ2+Sd3KmkZt1EOS09VE8zbRfc7id4oPg:YITpmafy2+S5KmkZt1EOSP8zdfc7i5P
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
resource yara_rule behavioral2/memory/4284-132-0x0000000000400000-0x00000000005E6000-memory.dmp upx behavioral2/memory/4284-133-0x0000000000400000-0x00000000005E6000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe = "C:\\Windows\\System32\\cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe" cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-2295526160-1155304984-640977766-1000\desktop.ini cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\desktop.ini cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe -
Drops file in System32 directory 1 IoCs
Processes:
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exedescription ioc process File created C:\Windows\System32\cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe -
Drops file in Program Files directory 64 IoCs
Processes:
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME.txt.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\CompressDeny.wmv.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\7-Zip\Lang\mn.txt.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoCanary.png cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsnor.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java_crw_demo.dll.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_font.dll.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiItalic.ttf.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fr.pak.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\wsdetect.dll.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcp120.dll cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe File created C:\Program Files\7-Zip\Lang\be.txt.id-D7B9442F.[bitlocker@foxmail.com ].wiki cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4040 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exepid process 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 320 vssvc.exe Token: SeRestorePrivilege 320 vssvc.exe Token: SeAuditPrivilege 320 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exepid process 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.execmd.exedescription pid process target process PID 4284 wrote to memory of 3628 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe cmd.exe PID 4284 wrote to memory of 3628 4284 cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe cmd.exe PID 3628 wrote to memory of 4740 3628 cmd.exe mode.com PID 3628 wrote to memory of 4740 3628 cmd.exe mode.com PID 3628 wrote to memory of 4040 3628 cmd.exe vssadmin.exe PID 3628 wrote to memory of 4040 3628 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe"C:\Users\Admin\AppData\Local\Temp\cc3b570fa8f87354f06a20d8873c45087684c217f1b434b3b0048acd96fe3e64.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3628-136-0x0000000000000000-mapping.dmp
-
memory/4040-138-0x0000000000000000-mapping.dmp
-
memory/4284-132-0x0000000000400000-0x00000000005E6000-memory.dmpFilesize
1.9MB
-
memory/4284-133-0x0000000000400000-0x00000000005E6000-memory.dmpFilesize
1.9MB
-
memory/4284-134-0x00000000036B0000-0x00000000036E4000-memory.dmpFilesize
208KB
-
memory/4284-135-0x0000000000400000-0x00000000005E6000-memory.dmpFilesize
1.9MB
-
memory/4740-137-0x0000000000000000-mapping.dmp