dharma | 92e5a2fb9c2403bcdfffc5d91c7cc959da76e0ddd843b2d43a8a3a858f9c90a6

Analysis

max time kernel
8s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
Size

306KB
MD5

1eac69691e05297182ea6642746d53f6
SHA1

749f19b262849158df6d29f26043e1a845da102e
SHA256

75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d
SHA512

8ac6625fa10b3d2126a6498af2790a52bb626fef74b4abf05ce869f0e3b2d41fa78915b469529c67531937093e6385634985e792f4c04edac5f0b69a489d5c39
SSDEEP

3072:J86Kas04uVswV5Him+xfleiJfz/4B7zspXGwtI57T+YG4tGSGbwySvB5KpzeLrqK:ChatLSeoQ7Rwu57C0bNyKgpGR

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

Processes:

75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe = "C:\\Windows\\System32\\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe"	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\desktop.ini	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

Drops file in System32 directory 1 IoCs

Processes:

75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

description	ioc	process
File created	C:\Windows\System32\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

Drops file in Program Files directory 64 IoCs

Processes:

75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\1047x576black.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoBeta.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOMessageProvider.dll.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\7-Zip\readme.txt.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IpsMigrationPlugin.dll.mui	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.id-2E8F1C0B.[admin@fentex.net].money	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2276 vssadmin.exe

pid	process
2276	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

pid	process
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1752 vssvc.exe
Token: SeRestorePrivilege 1752 vssvc.exe
Token: SeAuditPrivilege 1752 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1752	vssvc.exe
Token: SeRestorePrivilege	1752	vssvc.exe
Token: SeAuditPrivilege	1752	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.execmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 2140	1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe	cmd.exe
PID 1736 wrote to memory of 2140	1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe	cmd.exe
PID 1736 wrote to memory of 2140	1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe	cmd.exe
PID 1736 wrote to memory of 2140	1736	75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe	cmd.exe
PID 2140 wrote to memory of 2964	2140	cmd.exe	mode.com
PID 2140 wrote to memory of 2964	2140	cmd.exe	mode.com
PID 2140 wrote to memory of 2964	2140	cmd.exe	mode.com
PID 2140 wrote to memory of 2276	2140	cmd.exe	vssadmin.exe
PID 2140 wrote to memory of 2276	2140	cmd.exe	vssadmin.exe
PID 2140 wrote to memory of 2276	2140	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe
"C:\Users\Admin\AppData\Local\Temp\75a9ade19696be512a894b659c4bebd174a868f404da5479f4fd96494e04c71d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2964

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id-2E8F1C0B.[admin@fentex.net].money
Filesize
7.1MB

MD5
2276786a975f3ac40712e9b7643f799c

SHA1
f611ed75a7c615886516ffcd91e3cf677b37ca61

SHA256
abb2d7c3835695cf8ca977d018b503ed141754fad15718f0a70748816a6cc569

SHA512
5a1ca0ac29599ac10a7ae01d9ae91ebfe71a32e478d5d452f6a1f0f8b5be92243d319708e2f19af637d0359cbdc32b65886e60aa3ba9b10b117bb41c59fb6ed3

Download Submit
memory/1736-1-0x00000000036D0000-0x00000000037D0000-memory.dmp

Filesize
1024KB

Download
memory/1736-2-0x0000000000220000-0x0000000000239000-memory.dmp

Filesize
100KB

Download
memory/1736-59-0x0000000000400000-0x00000000035A1000-memory.dmp

Filesize
49.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads