Analysis
-
max time kernel
248s -
max time network
335s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 09:54
Static task
static1
Behavioral task
behavioral1
Sample
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe
Resource
win10v2004-20220901-en
General
-
Target
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe
-
Size
271KB
-
MD5
c52198dd4ec25b0eea665e6e0a8d4dd7
-
SHA1
2ead1a996c1a63be93e91587103320bca38561ae
-
SHA256
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020
-
SHA512
3a6426a5e42723cb9c0153d8893e8f23694868d9905fe7945dfa245ec6e879770abf30fb5a3767a9c457627a80a90f3bd8d7c1cc65a127c42e61517d9e201d1f
-
SSDEEP
6144:z9os9pGaytIcctkrCOEKc9YBsq0tm/6zf5PYF+AHW4p+fBry+aVze2U:z9os9pGaQI76GhKcysfQSzRPYcAHt+uk
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe = "C:\\Windows\\System32\\624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe" 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe -
Drops desktop.ini file(s) 11 IoCs
Processes:
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe -
Drops file in System32 directory 1 IoCs
Processes:
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exedescription ioc process File created C:\Windows\System32\624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe -
Drops file in Program Files directory 64 IoCs
Processes:
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground_PAL.wmv 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Barbados.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Gambier.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcer.dll 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.policy 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\mobile.css.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\7-Zip\Lang\eu.txt.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\hint_down.png 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.EPS.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\de.pak.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guyana.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\id.pak.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\VideoLAN\VLC\AUTHORS.txt.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File created C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif.id-7582DE42.[pexdatax@gmail.com].ROGER 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hr.pak 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1612 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exepid process 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1200 vssvc.exe Token: SeRestorePrivilege 1200 vssvc.exe Token: SeAuditPrivilege 1200 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.execmd.exedescription pid process target process PID 896 wrote to memory of 1104 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe cmd.exe PID 896 wrote to memory of 1104 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe cmd.exe PID 896 wrote to memory of 1104 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe cmd.exe PID 896 wrote to memory of 1104 896 624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe cmd.exe PID 1104 wrote to memory of 1116 1104 cmd.exe mode.com PID 1104 wrote to memory of 1116 1104 cmd.exe mode.com PID 1104 wrote to memory of 1116 1104 cmd.exe mode.com PID 1104 wrote to memory of 1612 1104 cmd.exe vssadmin.exe PID 1104 wrote to memory of 1612 1104 cmd.exe vssadmin.exe PID 1104 wrote to memory of 1612 1104 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe"C:\Users\Admin\AppData\Local\Temp\624fc9dbcf5f1c92ee34202ce1ecad6f139b816d471531b6ea062da798652020.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/896-54-0x0000000075E81000-0x0000000075E83000-memory.dmpFilesize
8KB
-
memory/896-58-0x00000000009C9000-0x00000000009DC000-memory.dmpFilesize
76KB
-
memory/896-59-0x0000000000020000-0x0000000000039000-memory.dmpFilesize
100KB
-
memory/896-60-0x0000000000400000-0x00000000008D3000-memory.dmpFilesize
4.8MB
-
memory/896-61-0x00000000009C9000-0x00000000009DC000-memory.dmpFilesize
76KB
-
memory/1104-55-0x0000000000000000-mapping.dmp
-
memory/1116-56-0x0000000000000000-mapping.dmp
-
memory/1612-57-0x0000000000000000-mapping.dmp