Overview
overview
10Static
static
1002db3ec764...ce.exe
windows7-x64
09f27e0189...2e.exe
windows7-x64
50abe62de95...d2.exe
windows7-x64
713ad5c6c04...20.exe
windows7-x64
181d5a2aa3...54.exe
windows7-x64
719bdaadf42...ed.exe
windows7-x64
11f1cc17473...5e.exe
windows7-x64
81f4e927f6e...a4.exe
windows7-x64
222d06b236...66.exe
windows7-x64
823b5ce252f...5b.exe
windows7-x64
1024ebe7609d...a9.exe
windows7-x64
625fcedbb8b...78.exe
windows7-x64
26f2bf1fc3...fe.exe
windows7-x64
32a22a65aa...2f.exe
windows7-x64
35fdad147c...8f.exe
windows7-x64
136bfd9f40c...07.exe
windows7-x64
139a6618795...45.exe
windows7-x64
13c8ac670d8...98.exe
windows7-x64
1401beec1e5...c3.exe
windows7-x64
346c17836fd...b2.exe
windows7-x64
54edb6518a...9a.exe
windows7-x64
756ec95785f...a4.exe
windows7-x64
15c959580ad...bd.dll
windows7-x64
675e7e38d9...a8.exe
windows7-x64
96b4f6a820d...96.exe
windows7-x64
1721ccbb780...29.exe
windows7-x64
375a9ade196...1d.exe
windows7-x64
107a2aa7c097...bd.exe
windows7-x64
187bcc495ec...65.exe
windows7-x64
8d11fa1067...54.exe
windows7-x64
797d846563e...3b.exe
windows7-x64
19e4e60ee2a...c6.exe
windows7-x64
3Analysis
-
max time kernel
8s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 16:53
Behavioral task
behavioral1
Sample
02db3ec76453f4a8ed495b9befac3ce2d51ef58c22d167e25a20bd050f5094ce.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral2
Sample
09f27e01898779236a9f31185667b9f4a97dd1f30c972386fd995502acfb992e.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral3
Sample
0abe62de95ad966482f445504eb8a385afb8e4b4ba5a36ea34fce13b3da3dad2.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
13ad5c6c04c32e246dba78cf2e3737470af66b0b73553ab8f025ade626b8a120.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral5
Sample
181d5a2aa39493c50bc73723047157d843ecbc22d7cb56766eb737f529910854.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
19bdaadf42c44a28941ff6ecea6925de28caf172acb131085d93c7e56ac5fded.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral7
Sample
1f1cc1747387db85919ee8af854dd1afe5239b34a1cdc98c5cea347de804205e.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral9
Sample
222d06b23600bbd1fd66b6649618e5f3a7f4d81fcb8dfd961680d949aea31a66.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
23b5ce252f1cb3ff40a3bcb3ea53dd674175c3ad782b00e33ae45c8c87fa265b.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral11
Sample
24ebe7609d56c62fca780bf5ef346aa91c0412418f1f85d591005b4509bcbca9.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
25fcedbb8b0ae97c1e9b7b56e0ce3511976661bbdcf075dfed18b36a58ab5d78.exe
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral13
Sample
26f2bf1fc3ee321d48dce649fae9951220f0f640c69d5433850b469115c144fe.exe
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral14
Sample
32a22a65aa2666a6a34f0be77cb6bd3f275bcd1e1c54ad49e187984d76f49e2f.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral15
Sample
35fdad147c2ab2c36dd7fd1ad1ae26b80be6c501bb22120b741be3ab34be168f.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
36bfd9f40ce0043c878b28ca80dda5315cf681215baf4e1d539456d89b907807.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral17
Sample
39a6618795b858d4f9a976c203bb9bee199db3555b9583b308954ccc09cffc45.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral18
Sample
3c8ac670d8c920170dd431a5a08cbefd62a98e369eb552acbc04a0eeb2f2a198.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral19
Sample
401beec1e5e07bfe7d0ebf18d9219f4f0a504284b6f9aab664e8af6e8bef31c3.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
46c17836fd2d65343ca0d1adae5fa3209a1f2a128736c81f5d7d40fe7ee608b2.exe
Resource
win7-20240319-en
windows7-x64
Behavioral task
behavioral21
Sample
54edb6518a4ba6561d14cfc2875b281f3a9a87aca7d839c5bc814ef5e6a0229a.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral22
Sample
56ec95785f91418751ad5788f9076af108ae19e03d2e0c0551ae8f8d8f5acba4.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral23
Sample
5c959580adf1fbdfea872ece4d29ee6a8319a88273a9923988ef8be4197833bd.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
675e7e38d969e9c0af164337a180b2941d4a676b7e0c345da1de1b2d42ed31a8.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral25
Sample
6b4f6a820d415a88ee156607b13450cbe0bedad4eb05961c55f5926f86262296.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
721ccbb780b308c6c40817749b6764ad06cd2e56389bba1618a0dadc362d6429.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral27
Sample
75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
7a2aa7c097a2e48184694d2d70027f7ac4081db7c6d555324aa5f060a37800bd.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
87bcc495ec10c56b860450897f03869b74c66c2a2bd336d4fff67d2d777ad865.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral30
Sample
8d11fa106742bd9038bf92ed3b3912b51f9b768ebd85b380081f61940fd92754.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral31
Sample
97d846563e9c5da173d27fd11a6f182709c665dba0cb3f85a882c7b3e9cd9a3b.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral32
Sample
9e4e60ee2a8a8ce65072e3aa9b648d4e8ff45474a41d374126f3c045901550c6.exe
Resource
win7-20240221-en
windows7-x64
General
-
Target
75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
-
Size
306KB
-
MD5
1eac69691e05297182ea6642746d53f6
-
SHA1
749f19b262849158df6d29f26043e1a845da102e
-
SHA256
75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d
-
SHA512
8ac6625fa10b3d2126a6498af2790a52bb626fef74b4abf05ce869f0e3b2d41fa78915b469529c67531937093e6385634985e792f4c04edac5f0b69a489d5c39
-
SSDEEP
3072:J86Kas04uVswV5Him+xfleiJfz/4B7zspXGwtI57T+YG4tGSGbwySvB5KpzeLrqK:ChatLSeoQ7Rwu57C0bNyKgpGR
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe = "C:\\Windows\\System32\\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe" 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\desktop.ini 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\7-Zip\Lang\hy.txt.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\7-Zip\Lang\lij.txt.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\7-Zip\Lang\fa.txt.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\7-Zip\Lang\ca.txt.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\7-Zip\readme.txt.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.id-2E8F1C0B.[[email protected]].money 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2276 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1752 vssvc.exe Token: SeRestorePrivilege 1752 vssvc.exe Token: SeAuditPrivilege 1752 vssvc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2140 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 28 PID 1736 wrote to memory of 2140 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 28 PID 1736 wrote to memory of 2140 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 28 PID 1736 wrote to memory of 2140 1736 75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe 28 PID 2140 wrote to memory of 2964 2140 cmd.exe 30 PID 2140 wrote to memory of 2964 2140 cmd.exe 30 PID 2140 wrote to memory of 2964 2140 cmd.exe 30 PID 2140 wrote to memory of 2276 2140 cmd.exe 31 PID 2140 wrote to memory of 2276 2140 cmd.exe 31 PID 2140 wrote to memory of 2276 2140 cmd.exe 31 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe"C:\Users\Admin\AppData\Local\Temp\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2964
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2276
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id-2E8F1C0B.[[email protected]].money
Filesize7.1MB
MD52276786a975f3ac40712e9b7643f799c
SHA1f611ed75a7c615886516ffcd91e3cf677b37ca61
SHA256abb2d7c3835695cf8ca977d018b503ed141754fad15718f0a70748816a6cc569
SHA5125a1ca0ac29599ac10a7ae01d9ae91ebfe71a32e478d5d452f6a1f0f8b5be92243d319708e2f19af637d0359cbdc32b65886e60aa3ba9b10b117bb41c59fb6ed3