dharma | b0817a23a0189f43f8ceeb9899ade839f07da58dcf5a522d563c15382fba305a

General

Target

0f2c4685932a74e8a7bd4733ceea0fcc.exe
Size

92KB
MD5

0f2c4685932a74e8a7bd4733ceea0fcc
SHA1

51201bbf3d9b532d8882a4cda4fa40f35d093179
SHA256

b0817a23a0189f43f8ceeb9899ade839f07da58dcf5a522d563c15382fba305a
SHA512

c397d75914c49eba7725f886845aa8a6b02cfbbaef59f858507b0ebce836aafb9743bafd2f409097ec45eb68e0c333cfda0fc0607b37ddbbaca6c23e2f73d461
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4A+owcTqXrUMW/E4RwlROQA1d2x3u:Qw+asqN5aW/hL0X6wbmd2x3u

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (315) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 5 IoCs

Processes:

0f2c4685932a74e8a7bd4733ceea0fcc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f2c4685932a74e8a7bd4733ceea0fcc.exe	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	0f2c4685932a74e8a7bd4733ceea0fcc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0f2c4685932a74e8a7bd4733ceea0fcc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0f2c4685932a74e8a7bd4733ceea0fcc.exe = "C:\\Windows\\System32\\0f2c4685932a74e8a7bd4733ceea0fcc.exe"	0f2c4685932a74e8a7bd4733ceea0fcc.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

0f2c4685932a74e8a7bd4733ceea0fcc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2444714103-3190537498-3629098939-1000\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C8HX303O\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AGBX5AXM\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2444714103-3190537498-3629098939-1000\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\HSCYP491\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NIZQ7UCC\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RCB814T6\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UBTYURA7\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	0f2c4685932a74e8a7bd4733ceea0fcc.exe

Drops file in System32 directory 1 IoCs

Processes:

0f2c4685932a74e8a7bd4733ceea0fcc.exe

description ioc process

File created C:\Windows\System32\0f2c4685932a74e8a7bd4733ceea0fcc.exe 0f2c4685932a74e8a7bd4733ceea0fcc.exe

description	ioc	process
File created	C:\Windows\System32\0f2c4685932a74e8a7bd4733ceea0fcc.exe	0f2c4685932a74e8a7bd4733ceea0fcc.exe

Drops file in Program Files directory 64 IoCs

Processes:

0f2c4685932a74e8a7bd4733ceea0fcc.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36F.GIF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado21.tlb	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\AssertResume.odt.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107328.WMF	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00656_.WMF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCNPST32.DLL.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_right.png	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14828_.GIF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107344.WMF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe.config.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Fortaleza.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187835.WMF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\MSOSV.DLL.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayman	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR3B.GIF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha1.png	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Flow.thmx	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00397_.WMF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack.dll.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Halifax.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00394_.WMF	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01661_.WMF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDCAT.DLL.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Havana	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21495_.GIF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-14	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105600.WMF.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.id-81B350F1.[itteam122@aol.com].ROGER	0f2c4685932a74e8a7bd4733ceea0fcc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251925.WMF	0f2c4685932a74e8a7bd4733ceea0fcc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2564 vssadmin.exe
2528 vssadmin.exe

pid	process
2564	vssadmin.exe
2528	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0f2c4685932a74e8a7bd4733ceea0fcc.exe

pid	process
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe
1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2772 vssvc.exe
Token: SeRestorePrivilege 2772 vssvc.exe
Token: SeAuditPrivilege 2772 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2772	vssvc.exe
Token: SeRestorePrivilege	2772	vssvc.exe
Token: SeAuditPrivilege	2772	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0f2c4685932a74e8a7bd4733ceea0fcc.execmd.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 2512	1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe	cmd.exe
PID 1748 wrote to memory of 2512	1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe	cmd.exe
PID 1748 wrote to memory of 2512	1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe	cmd.exe
PID 1748 wrote to memory of 2512	1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe	cmd.exe
PID 2512 wrote to memory of 2736	2512	cmd.exe	mode.com
PID 2512 wrote to memory of 2736	2512	cmd.exe	mode.com
PID 2512 wrote to memory of 2736	2512	cmd.exe	mode.com
PID 2512 wrote to memory of 2564	2512	cmd.exe	vssadmin.exe
PID 2512 wrote to memory of 2564	2512	cmd.exe	vssadmin.exe
PID 2512 wrote to memory of 2564	2512	cmd.exe	vssadmin.exe
PID 1748 wrote to memory of 892	1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe	cmd.exe
PID 1748 wrote to memory of 892	1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe	cmd.exe
PID 1748 wrote to memory of 892	1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe	cmd.exe
PID 1748 wrote to memory of 892	1748	0f2c4685932a74e8a7bd4733ceea0fcc.exe	cmd.exe
PID 892 wrote to memory of 1672	892	cmd.exe	mode.com
PID 892 wrote to memory of 1672	892	cmd.exe	mode.com
PID 892 wrote to memory of 1672	892	cmd.exe	mode.com
PID 892 wrote to memory of 2528	892	cmd.exe	vssadmin.exe
PID 892 wrote to memory of 2528	892	cmd.exe	vssadmin.exe
PID 892 wrote to memory of 2528	892	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0f2c4685932a74e8a7bd4733ceea0fcc.exe
"C:\Users\Admin\AppData\Local\Temp\0f2c4685932a74e8a7bd4733ceea0fcc.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2736

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2564

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1672

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id-81B350F1.[itteam122@aol.com].ROGER
Filesize
6.3MB

MD5
db555f140cc591abecee2df4a98af08b

SHA1
605e786d0606df1d230b4f976c9a9a1fec99d6e6

SHA256
e8974a67fc362f2d5928a1e76ebc3f9b517e773b609404b2bd85f1cacd421097

SHA512
6c388a800a22fe1a8f0cf13a8b361016612671c67666d0640d565721013ac1a95dbb56588bc9f6a28ae8640deb6c2c647f1cd3c6b41d924e674549769e850587

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads