dharma | 7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
Size

422KB
MD5

85ad739aba5f21114564d1ea625f84ef
SHA1

5620ccbc0e687c4fc9d274514a9e9623e8e50ec9
SHA256

7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc
SHA512

c6001217be0a30a86e62f8fe6f2bada8de4ff03e1304b8ac8a0f70e9922eb7cad16fc4d3a52d3bba80bdf52055442c13c2bb5c313282f992c2fef82c603360fc
SSDEEP

12288:P9MHSFNnnzr0Sbw1zhRxizZwR8pDPzUqA+x:P9MHSFNnn+izZZpzzdAS

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message 46890083 In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Detects win.dharma. 6 IoCs

resource	yara_rule
behavioral2/memory/3028-0-0x0000000000400000-0x0000000000419000-memory.dmp	win_dharma_auto
behavioral2/memory/3028-2-0x0000000000400000-0x0000000000419000-memory.dmp	win_dharma_auto
behavioral2/memory/3028-3-0x0000000000400000-0x0000000000419000-memory.dmp	win_dharma_auto
behavioral2/memory/3028-7-0x0000000000400000-0x0000000000419000-memory.dmp	win_dharma_auto
behavioral2/memory/3028-11-0x0000000000400000-0x0000000000419000-memory.dmp	win_dharma_auto
behavioral2/memory/3028-12-0x0000000000400000-0x0000000000419000-memory.dmp	win_dharma_auto

Identifies DHARMA ransomware 24 IoCs

resource	yara_rule
behavioral2/memory/3028-0-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_aa5eefed
behavioral2/memory/3028-0-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_b31cac3f
behavioral2/memory/3028-0-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_e9319e4a
behavioral2/memory/3028-0-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_942142e3
behavioral2/memory/3028-2-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_aa5eefed
behavioral2/memory/3028-2-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_b31cac3f
behavioral2/memory/3028-2-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_e9319e4a
behavioral2/memory/3028-2-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_942142e3
behavioral2/memory/3028-3-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_aa5eefed
behavioral2/memory/3028-3-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_b31cac3f
behavioral2/memory/3028-3-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_e9319e4a
behavioral2/memory/3028-3-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_942142e3
behavioral2/memory/3028-7-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_aa5eefed
behavioral2/memory/3028-7-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_b31cac3f
behavioral2/memory/3028-7-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_e9319e4a
behavioral2/memory/3028-7-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_942142e3
behavioral2/memory/3028-11-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_aa5eefed
behavioral2/memory/3028-11-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_b31cac3f
behavioral2/memory/3028-11-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_e9319e4a
behavioral2/memory/3028-11-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_942142e3
behavioral2/memory/3028-12-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_aa5eefed
behavioral2/memory/3028-12-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_b31cac3f
behavioral2/memory/3028-12-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_e9319e4a
behavioral2/memory/3028-12-0x0000000000400000-0x0000000000419000-memory.dmp	Windows_Ransomware_Dharma_942142e3

Renames multiple (496) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe = "C:\\Windows\\System32\\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe"	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3316742141-2240921845-2885234760-1000\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3316742141-2240921845-2885234760-1000\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Public\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Windows\System32\Info.hta	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 3028	2728	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	95

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-80_altform-unplated.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-400_contrast-white.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker20.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-200_contrast-black.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files\7-Zip\7z.sfx.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ui-strings.js.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features_email.txt.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\Logo.png.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\ui-strings.js.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-256_altform-unplated_contrast-black.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ThreeWayBlendPage.xbf	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\ui-strings.js.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\System.Windows.Input.Manipulations.resources.dll.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\ui-strings.js	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-100.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-200.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\measure_poster.jpg.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-96_altform-unplated.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-16_altform-unplated.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\HoloLens_HandTracking.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-400_contrast-white.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\3DViewerProductDescription-universal.xml	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-30_altform-unplated.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\ui-strings.js	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\bn-IN.pak.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\SegXbox2.ttf	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Controls.Ribbon.resources.dll.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_pt-BR.json	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\WideTile.scale-200.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview2x.png.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-phn.xrm-ms.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Transactions.Local.dll.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Ping.dll.id-46890083.[[email protected]].arena	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-36_altform-lightunplated.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-20_altform-unplated_contrast-black.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailMediumTile.scale-100.png	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1208	vssadmin.exe
8236	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	6336	vssvc.exe
Token: SeRestorePrivilege	6336	vssvc.exe
Token: SeAuditPrivilege	6336	vssvc.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2728	2532	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	94
PID 2532 wrote to memory of 2728	2532	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	94
PID 2532 wrote to memory of 2728	2532	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	94
PID 2728 wrote to memory of 3028	2728	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	95
PID 2728 wrote to memory of 3028	2728	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	95
PID 2728 wrote to memory of 3028	2728	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	95
PID 2728 wrote to memory of 3028	2728	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	95
PID 2728 wrote to memory of 3028	2728	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	95
PID 2728 wrote to memory of 3028	2728	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	95
PID 2728 wrote to memory of 3028	2728	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	95
PID 2728 wrote to memory of 3028	2728	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	95
PID 3028 wrote to memory of 940	3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	97
PID 3028 wrote to memory of 940	3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	97
PID 940 wrote to memory of 1152	940	cmd.exe	98
PID 940 wrote to memory of 1152	940	cmd.exe	98
PID 940 wrote to memory of 1208	940	cmd.exe	99
PID 940 wrote to memory of 1208	940	cmd.exe	99
PID 3028 wrote to memory of 8404	3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	105
PID 3028 wrote to memory of 8404	3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	105
PID 8404 wrote to memory of 8152	8404	cmd.exe	107
PID 8404 wrote to memory of 8152	8404	cmd.exe	107
PID 3028 wrote to memory of 3968	3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	108
PID 3028 wrote to memory of 3968	3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	108
PID 3028 wrote to memory of 6312	3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	109
PID 3028 wrote to memory of 6312	3028	7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe	109
PID 8404 wrote to memory of 8236	8404	cmd.exe	110
PID 8404 wrote to memory of 8236	8404	cmd.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
"C:\Users\Admin\AppData\Local\Temp\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
  "C:\Users\Admin\AppData\Local\Temp\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe" -l
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
    C:\Users\Admin\AppData\Local\Temp\7e4f2594e52faa81bd27e0fcb59beb9f93c8f6b8d689e60eb8ce434f250d82fc.exe
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:1152
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1208
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:8404
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:8152
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:8236
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:3968
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:6312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.id-46890083.[[email protected]].arena

Filesize
320KB

MD5
18a0ef8caac575c5dc6e7c27a2ed9049

SHA1
948d06bbfdf6c5b5046ba0bcaa76fdee403df292

SHA256
180dd64189bbd26451ba2e5f1851d42281949ad5c27e54cb178f260e77fd24ac

SHA512
508f7cfe3d6b0e5a7f5633e18ea12aeea0941b3300f0b00231748f9346975dd3aa06cbe804e9d6c359662220ef36a8ed0b969cfa282280cba35c91ba5078402c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
13KB

MD5
f832fc69753fdb06fa32874d282a3964

SHA1
35092a781be5eb06170864e2e5078f0ac18bba3f

SHA256
5d8232341e72f9443775e92b5e9adb650485ca5754f6f03dc5dd0f22a07dfa78

SHA512
0430936825ba9e04c7f4d39469b39b85620c94de04e88a1de25933ecb1daf78ca387d6bb05eb144ac7ad4be04093c0a1a37b81af78502db8c3f85aa2cddb0840

Download Submit
memory/3028-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3028-2-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3028-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3028-7-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3028-11-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3028-12-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download