Overview
overview
10Static
static
10067f997e6f...40.exe
windows7-x64
100c0c9a19db...c1.exe
windows7-x64
101a8f35d0f2...b9.exe
windows7-x64
2354403f00...3b.exe
windows7-x64
240ac12f9c...0b.exe
windows7-x64
10276727bfac...36.exe
windows7-x64
10280a75ca5c...8e.exe
windows7-x64
2e8af1ad4b...51.exe
windows7-x64
1032c51906c1...ec.exe
windows7-x64
3e84def5ee...96.exe
windows7-x64
403b8f1ce9...40.exe
windows7-x64
4731758b5f...25.exe
windows7-x64
94c21b335ba...49.exe
windows7-x64
104c99ac9f69...35.exe
windows7-x64
4fbbd67a32...a7.exe
windows7-x64
10622e2834e5...95.exe
windows7-x64
106734e7474c...fd.exe
windows7-x64
67a00565a4...5d.exe
windows7-x64
6e228df5e4...62.exe
windows7-x64
7b93299c45...03.exe
windows7-x64
7c2a9bae3b...c1.exe
windows7-x64
107d9c97a133...b5.exe
windows7-x64
1083b294975e...74.exe
windows7-x64
9b0cfabed9...8e.exe
windows7-x64
10aa63528bf7...cd.exe
windows7-x64
b54d6dc708...7d.exe
windows7-x64
10b6b2c1f4bb...00.exe
windows7-x64
10ba43b2eb48...fb.exe
windows7-x64
cc43fc18d6...e8.exe
windows7-x64
10d50b23e12c...af.exe
windows7-x64
10ebb17d81ff...0f.exe
windows7-x64
ec09cfa4a7...da.exe
windows7-x64
10Resubmissions
16-03-2024 17:17
240316-vtswysfd2y 1016-03-2024 15:31
240316-syg9xafg39 1015-03-2024 08:15
240315-j5rmgsbg5z 10Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 08:15
Behavioral task
behavioral1
Sample
067f997e6fe9eac1a47d9a54d6dd22414721ad895e6352714a11779de8d66540.exe
Resource
win7-20240221-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1.exe
Resource
win7-20240221-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral3
Sample
1a8f35d0f2b1a11a5b30e6f05ee5c9e93542fc2f559f8e66cf67f2a1b6ccbeb9.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral4
Sample
2354403f00f096f700e5616ed1a5ccd40fe53a1bb35a5e93e429f5f24fa4483b.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral5
Sample
240ac12f9c13ef1fdfbc77e16978f0423a41a3cc1c3dcb8786ba8e7672811f0b.exe
Resource
win7-20240221-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral6
Sample
276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral7
Sample
280a75ca5ca5dc8e106f6f6e2005fe3e23b6c35e296d5639b00b5b6daba8c38e.exe
Resource
win7-20240215-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral8
Sample
2e8af1ad4bb1e9f1bfdd3a04bf28363bbcdb3653e6aa4864f61b09c050378d51.exe
Resource
win7-20240221-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral9
Sample
32c51906c182c8c92afbc93cbe674d1b24d855f5f4f0c4c82d076691cce4c7ec.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral10
Sample
3e84def5eeae88ab28d21de08581e68e46fd9a94b5fee35d609d6f73a92a9e96.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral11
Sample
403b8f1ce98aeb6f4a7cfc23693c5a9799e0239806a4850b4eaad58ab7bedb40.exe
Resource
win7-20240220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral12
Sample
4731758b5f792686547e861c6bd86ccf88ddb63cba6fa6b048a46cfc5f146325.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral13
Sample
4c21b335baf9907cfaec588f25354b804b3d59f3882d923fbaf0d929b933ef49.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral14
Sample
4c99ac9f69cf03b60583b12f94fe442da74178f53030bd2b7703b1d53da6a135.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral15
Sample
4fbbd67a32384a485efb0efb9e958a9f7b7a879d3945b16ccf80a8580bd935a7.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral16
Sample
622e2834e51caa303d120c7503d8fcce671226a0342d7be0f8cf546b44cee195.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral17
Sample
6734e7474c81f5b7b0c006a17b79f59e3281f45f03910ddeeae2ea05291655fd.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral18
Sample
67a00565a4c5fc9f08543cb10bfa3858801f87a558e21ad36d514c9bedb10e5d.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral19
Sample
6e228df5e458ddcd6a9b5284418b6101cb988315d3910f1b422d511135acd462.exe
Resource
win7-20231129-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral20
Sample
7b93299c4559e89716a9b37f4a43c1b084c610ad1d9d8e462a1383320e299503.exe
Resource
win7-20240220-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral21
Sample
7c2a9bae3bbdc9e38516754d76a192d6a3ce37849c06a8a8d3b06fb7f75916c1.exe
Resource
win7-20240221-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral22
Sample
7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5.exe
Resource
win7-20240215-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral23
Sample
83b294975e094024bdeb90f5cdeb9832304cf6879a27eee5cfe08650e5731674.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral24
Sample
9b0cfabed9fbf6b05c74e5a31eb500fea0691c84fa736dd25e8e5013a35f038e.exe
Resource
win7-20240221-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral25
Sample
aa63528bf720d3f9b31e91945a576afa4c609a09c07b3bbfc29351d760a71ccd.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral26
Sample
b54d6dc708eade0818fcf91e59c7dbe37267abbe43a1672fb5f1c126e021ad7d.exe
Resource
win7-20240221-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral27
Sample
b6b2c1f4bbe4259e0279a0c3db98a69db12ab6ae0b549085c714f1497f3c8300.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral28
Sample
ba43b2eb4865f24c9e04bdd6cd885202267e831ef797df32eb602dd91ff36ffb.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral29
Sample
cc43fc18d6d1dc662ad747652cd961152ee13dbf2cea9bf75564f3e2e8ffd2e8.exe
Resource
win7-20240221-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral30
Sample
d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf.exe
Resource
win7-20240221-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral31
Sample
ebb17d81ffb02c01b4f49c7267246f243272ca2aecda68a44e89a33f74a47a0f.exe
Resource
win7-20240221-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral32
Sample
ec09cfa4a79d709daed859d1a0e131aaa994f4a7b4bed80406125db76446fbda.exe
Resource
win7-20240221-en
windows7-x64
5 signatures
150 seconds
General
-
Target
276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe
-
Size
92KB
-
MD5
58402f0f41e3bfecbea9ca1bcc0f0c2b
-
SHA1
0a2b11df94790e1121c17e350eb846a236e0fbcf
-
SHA256
276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136
-
SHA512
8155d0a3364ea067260ba9ad432e126b1da33a2c4c1c5f585112851c5765363cd6cc426263ef430b559e9b35eea938e19bf7cc2e50e6a6c356bba030664f9123
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4ALTroZbj0zTzn5W9qN9PI1fFznJGf0yG:Qw+asqN5aW/hLlTroZUzTz5W9qrI1JIH
Score
10/10
Malware Config
Extracted
Path
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link: email [email protected] YOUR ID
If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected]
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (317) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe = "C:\\Windows\\System32\\276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe" 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Libraries\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LGZQH3SP\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F9UL0C6O\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3J2LRC5A\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Music\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\J3XTYXPF\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Videos\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JYWEBS5E\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CYTS71XD\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PY5FLSJ8\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Windows\System32\Info.hta 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00439_.WMF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00018_.WMF 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AWARDHM.POC.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files\Mozilla Firefox\mozglue.dll.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297551.WMF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Mozilla Firefox\AccessibleHandler.dll.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293238.WMF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_OFF.GIF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SPLASH.WAV.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.DPV.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04134_.WMF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03466_.WMF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_disable.gif.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0195812.WMF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationClient.resources.dll 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\HORN.WAV 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152688.WMF 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libremap_plugin.dll.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MCPS.DLL.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_description_plugin.dll 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLJRNLR.FAE.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdate.cer.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PNCTUATE.POC.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files\Java\jre7\lib\javafx.properties.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue.css 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Gambier.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files\7-Zip\Lang\ja.txt.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18233_.WMF.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana.css 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28F.GIF 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG.id-F275D0FF.[[email protected]].ROGER 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2772 vssadmin.exe 2744 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 2560 vssvc.exe Token: SeRestorePrivilege 2560 vssvc.exe Token: SeAuditPrivilege 2560 vssvc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2088 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 28 PID 1948 wrote to memory of 2088 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 28 PID 1948 wrote to memory of 2088 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 28 PID 1948 wrote to memory of 2088 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 28 PID 2088 wrote to memory of 2992 2088 cmd.exe 30 PID 2088 wrote to memory of 2992 2088 cmd.exe 30 PID 2088 wrote to memory of 2992 2088 cmd.exe 30 PID 2088 wrote to memory of 2772 2088 cmd.exe 31 PID 2088 wrote to memory of 2772 2088 cmd.exe 31 PID 2088 wrote to memory of 2772 2088 cmd.exe 31 PID 1948 wrote to memory of 2620 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 35 PID 1948 wrote to memory of 2620 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 35 PID 1948 wrote to memory of 2620 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 35 PID 1948 wrote to memory of 2620 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 35 PID 2620 wrote to memory of 4092 2620 cmd.exe 37 PID 2620 wrote to memory of 4092 2620 cmd.exe 37 PID 2620 wrote to memory of 4092 2620 cmd.exe 37 PID 2620 wrote to memory of 2744 2620 cmd.exe 38 PID 2620 wrote to memory of 2744 2620 cmd.exe 38 PID 2620 wrote to memory of 2744 2620 cmd.exe 38 PID 1948 wrote to memory of 3600 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 39 PID 1948 wrote to memory of 3600 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 39 PID 1948 wrote to memory of 3600 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 39 PID 1948 wrote to memory of 3600 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 39 PID 1948 wrote to memory of 3896 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 40 PID 1948 wrote to memory of 3896 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 40 PID 1948 wrote to memory of 3896 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 40 PID 1948 wrote to memory of 3896 1948 276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe 40 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe"C:\Users\Admin\AppData\Local\Temp\276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2992
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2772
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:4092
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2744
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
PID:3600
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
PID:3896
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id-F275D0FF.[[email protected]].ROGER
Filesize7.4MB
MD52126d08b10f90b1e12d3e94e7951de0b
SHA1a6971159fde13bd9f7d95dce7a929074c405caeb
SHA256b01fdc0dabffa2dec445cc41b54baa42eed506b645d1251cc0e5aa1ccb52f6c1
SHA512e561e02807ffdc00ec432c399ce57b956ca3f239ceb89cca972b8cf2c3f1121eea433ca6ccef9573afd5b925173515accdc451285cdb9ff52af05131583904be
-
Filesize
7KB
MD513e8856c1041a078759dace7087d5bfe
SHA12c94d386ee082a06cbda0f9da3dbf7c5ffb90ecb
SHA2563af68ab7759cae0cdc300e0dbb3bb63fe5a89632e370309de3e19db62b43b833
SHA512892923b246fce175de9f0817cc2d422b9050b6dae7a7552433f093106983357b70185fc4b0dbbb86f1b28e2d113200f7d4f08fc1aebb4acfd01cf744edd35c16