dharma | b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
Size

92KB
MD5

0c4cbf1cb8e5065f8df8c8adc4f80e84
SHA1

fe9fa42f2cd4e261783b14b6cf9a28b51162590d
SHA256

b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039
SHA512

c6e5215ae24f65b18235edfa5295c5dca94f4bba7357b74aa376a4f80efb55f1319b7b9a0e8ecca6788b286faf999a3dbc84a6d1c9f165238f721e5fff50e329
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4Azg43jW0nLLJbiO3YhP1SKiRgQ:Qw+asqN5aW/hLm2jW0nnJbL3And

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (501) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe = "C:\\Windows\\System32\\b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe"	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Public\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3270530367-132075249-2153716227-1000\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Windows\System32\Info.hta	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-stdio-l1-1-0.dll.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.Metadata.dll	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldExist.snippets.ps1xml	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscordaccore.dll	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.schema.mfl	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.x86.dll.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\ui-strings.js	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\welcome.png	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcp120.dll	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Microsoft.PowerShell.Operation.Validation.psd1	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.resources.dll	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookLargeTile.scale-200.png	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2.jpg	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sendforcomments_18.svg.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryLetter.dotx.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\ReachFramework.resources.dll.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\DeleteToastQuickAction.scale-80.png	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-down_32.svg.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_link_18.svg.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Info.png.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\msvcp140_2.dll	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\ui-strings.js.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-pl.xrm-ms.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ui-strings.js.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-80_altform-lightunplated.png	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner_mini.gif.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxBadge.scale-125.png	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugin.js.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\nb.pak.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-100.png	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\ui-strings.js.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Text.Encoding.Extensions.dll.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp10.scale-200.png	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning_2x.png.id-C652CEF5.[[email protected]].FLYU	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Fonts\BhaiMDL2.2.52.ttf	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4436	vssadmin.exe
8232	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3160	vssvc.exe
Token: SeRestorePrivilege	3160	vssvc.exe
Token: SeAuditPrivilege	3160	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 1992	4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	86
PID 4948 wrote to memory of 1992	4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	86
PID 1992 wrote to memory of 7988	1992	cmd.exe	88
PID 1992 wrote to memory of 7988	1992	cmd.exe	88
PID 1992 wrote to memory of 4436	1992	cmd.exe	89
PID 1992 wrote to memory of 4436	1992	cmd.exe	89
PID 4948 wrote to memory of 9120	4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	95
PID 4948 wrote to memory of 9120	4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	95
PID 9120 wrote to memory of 8876	9120	cmd.exe	97
PID 9120 wrote to memory of 8876	9120	cmd.exe	97
PID 9120 wrote to memory of 8232	9120	cmd.exe	98
PID 9120 wrote to memory of 8232	9120	cmd.exe	98
PID 4948 wrote to memory of 6800	4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	99
PID 4948 wrote to memory of 6800	4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	99
PID 4948 wrote to memory of 5540	4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	100
PID 4948 wrote to memory of 5540	4948	b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe
"C:\Users\Admin\AppData\Local\Temp\b565c8e1e81796db13409f37e4bd28877272b5e54ab5c0a3d9b6a024e7f5a039.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:7988
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4436
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:9120
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:8876
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:8232
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:6800
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:5540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-C652CEF5.[[email protected]].FLYU

Filesize
2.9MB

MD5
40dcdaf3ed6e51c439a27126cf5c40e5

SHA1
0091bf762b1d2629f3c4727c8c544955c8b81b5e

SHA256
7082c34f996d1d2e46b130881caae1ff3160077e7e4c0c041d891f92c476ba5a

SHA512
40e93c0fbcd00052a11e32bfbc478b2dd54c1aaa061e0c172f682637b6d3b35e078c348460a565b96a4001b45deaf62241329d624d4b134f4189932535d6dffa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
7KB

MD5
a442a1a2405371b00bef37699944afe0

SHA1
ebce796335bf7429b0fe5bc3ed348e8c3322b948

SHA256
e88b1bd19ff5e894234bc3a22503964f1a7d8e4ea2ced11d98038fe0993adae1

SHA512
5540565c61356910207ba4f0f193e342f3fd0058a89f41de9b0baf46df8f54859109a1d71148359892da770ee7772f4a46be7d865fe5375a9d0ce327bb736ab7

Download Submit