dharma | ea316873bc6e89056b33c0b5cd5e69dbdfce567077519b5adff57d9dedc5ec84

General

Target

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
Size

92KB
MD5

32e3001eb783b182de6b45e5f729d3ba
SHA1

896a8963fb57c10d30c05b56465401babe48ff0b
SHA256

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d
SHA512

27572a35b5f21e5217012b93ebe03e59d5dfeea6bd2446316d2e74230b961e6378ae700cd4d78b0033e516adc9f494e8520c01170f74a401204cc84337a92e65
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4Ax5ALyqEIxS6CRxVcFuVWZp17i:Qw+asqN5aW/hLL5LqrxSbRYE

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (125) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

Processes:

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe = "C:\\Windows\\System32\\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe"	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\desktop.ini	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Drops file in System32 directory 1 IoCs

Processes:

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

description	ioc	process
File created	C:\Windows\System32\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Drops file in Program Files directory 64 IoCs

Processes:

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.VisualBasic.dll	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-125.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.AccessControl.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-150.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\logging.properties	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\VideoLAN\VLC\THANKS.txt.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Serialization.Xml.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\11.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.ThreadPool.dll	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\.version.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White@2x.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XPath.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Large.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_06.jpg	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-400.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-150.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.Design.resources.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-100.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-dark.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Compression.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.HttpListener.dll.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_altform-unplated_contrast-white.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.id-A954C4A3.[decoderdata@onionmail.org].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4100 vssadmin.exe

pid	process
4100	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

pid	process
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3688 vssvc.exe
Token: SeRestorePrivilege 3688 vssvc.exe
Token: SeAuditPrivilege 3688 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3688	vssvc.exe
Token: SeRestorePrivilege	3688	vssvc.exe
Token: SeAuditPrivilege	3688	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.execmd.exe

description	pid	process	target process
PID 5080 wrote to memory of 4340	5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe	cmd.exe
PID 5080 wrote to memory of 4340	5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe	cmd.exe
PID 4340 wrote to memory of 1008	4340	cmd.exe	mode.com
PID 4340 wrote to memory of 1008	4340	cmd.exe	mode.com
PID 4340 wrote to memory of 4100	4340	cmd.exe	vssadmin.exe
PID 4340 wrote to memory of 4100	4340	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
"C:\Users\Admin\AppData\Local\Temp\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1008

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-A954C4A3.[decoderdata@onionmail.org].2023
Filesize
2.7MB

MD5
04fa1b317c63cbe672c7694aaec1daa5

SHA1
483fdc6386825ef671aea3622f3959ce58490325

SHA256
ae3462bc9b673880999005540a7a3add05a7b71f446f6b8ce121db985b0c251f

SHA512
6e3a242a34923b6c97284c80fa3c07b6a2c6870b4df8f6965e506a3a8425bc5f7360c8281e85b2e14cfae75905e33fac875b7e6f5e06b411e6d9b35b5dd82e3f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads