Analysis
-
max time kernel
154s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-11-2022 06:09
Static task
static1
Behavioral task
behavioral1
Sample
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe
Resource
win10v2004-20220812-en
General
-
Target
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe
-
Size
92KB
-
MD5
056c5445518ad631a67936fe623dfbb8
-
SHA1
5612b8ba7266d9ab519b32929077377b7c8340b3
-
SHA256
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608
-
SHA512
efb17c895f0fc8eab3d2d8601ec38b041bdfbed040e2521866c0938baf5f76b457f6b681b5eb7a3508c39e0973c0c142e5204fd0d51cafcff38613fcaee0b4f0
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4ACMwdGxrYhw0E/ov24RylCt/mradAbNB:Qw+asqN5aW/hLOdGxrYP24RFB2adAh
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe = "C:\\Windows\\System32\\3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe" 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe -
Drops desktop.ini file(s) 12 IoCs
Processes:
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files (x86)\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe -
Drops file in System32 directory 1 IoCs
Processes:
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exedescription ioc process File created C:\Windows\System32\3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exedescription ioc process File created C:\Program Files\7-Zip\Lang\fi.txt.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\external_extensions.json 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Halifax.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\39.png 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Mozilla Firefox\pingsender.exe.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00222_.WMF.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\7-Zip\Lang\cy.txt.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_ja_4.4.0.v20140623020002.jar.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\main.css 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-US.pak.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sitka 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_200_percent.pak 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\gu.pak.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cuiaba 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00319_.WMF 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jre7\lib\zi\America\Miquelon.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Microsoft Games\Mahjong\de-DE\Mahjong.exe.mui.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.DLL 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jpeg.dll.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jre7\lib\zi\America\Inuvik.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\attach.dll.id-FE385C95.[pcrec@tuta.io].RPC 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2004 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exepid process 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1784 vssvc.exe Token: SeRestorePrivilege 1784 vssvc.exe Token: SeAuditPrivilege 1784 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.execmd.exedescription pid process target process PID 1612 wrote to memory of 1812 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe cmd.exe PID 1612 wrote to memory of 1812 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe cmd.exe PID 1612 wrote to memory of 1812 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe cmd.exe PID 1612 wrote to memory of 1812 1612 3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe cmd.exe PID 1812 wrote to memory of 1932 1812 cmd.exe mode.com PID 1812 wrote to memory of 1932 1812 cmd.exe mode.com PID 1812 wrote to memory of 1932 1812 cmd.exe mode.com PID 1812 wrote to memory of 2004 1812 cmd.exe vssadmin.exe PID 1812 wrote to memory of 2004 1812 cmd.exe vssadmin.exe PID 1812 wrote to memory of 2004 1812 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe"C:\Users\Admin\AppData\Local\Temp\3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken