dharma | ea316873bc6e89056b33c0b5cd5e69dbdfce567077519b5adff57d9dedc5ec84

Analysis

max time kernel
155s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
Size

92KB
MD5

32e3001eb783b182de6b45e5f729d3ba
SHA1

896a8963fb57c10d30c05b56465401babe48ff0b
SHA256

2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d
SHA512

27572a35b5f21e5217012b93ebe03e59d5dfeea6bd2446316d2e74230b961e6378ae700cd4d78b0033e516adc9f494e8520c01170f74a401204cc84337a92e65
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4Ax5ALyqEIxS6CRxVcFuVWZp17i:Qw+asqN5aW/hLL5LqrxSbRYE

Score

10^/10

dharma persistence ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (125) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe = "C:\\Windows\\System32\\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe"	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\desktop.ini	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\Microsoft.VisualBasic.dll	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\SmallTile.scale-125.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.AccessControl.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jre-1.8\bin\eula.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-150.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-pl.xrm-ms.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\logging.properties	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\VideoLAN\VLC\THANKS.txt.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Runtime.Serialization.Xml.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\LICENSE.txt.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\11.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.ThreadPool.dll	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\.version.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\directshow.md	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Xml.XPath.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\tzmappings.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-localization-l1-2-0.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Large.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_06.jpg	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-400.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-150.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ko\System.Windows.Forms.Design.resources.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-125_contrast-black.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreBadgeLogo.scale-100.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\SearchPlaceholder-dark.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Compression.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.HttpListener.dll.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_altform-unplated_contrast-white.png	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms.id-A954C4A3.[[email protected]].2023	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4100	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3688	vssvc.exe
Token: SeRestorePrivilege	3688	vssvc.exe
Token: SeAuditPrivilege	3688	vssvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4340	5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe	90
PID 5080 wrote to memory of 4340	5080	2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe	90
PID 4340 wrote to memory of 1008	4340	cmd.exe	92
PID 4340 wrote to memory of 1008	4340	cmd.exe	92
PID 4340 wrote to memory of 4100	4340	cmd.exe	93
PID 4340 wrote to memory of 4100	4340	cmd.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe
"C:\Users\Admin\AppData\Local\Temp\2210baa7b596879b413965c17f9f33dbf698ac183b2b82329d397c73dee5fc3d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:1008
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-A954C4A3.[[email protected]].2023

Filesize
2.7MB

MD5
04fa1b317c63cbe672c7694aaec1daa5

SHA1
483fdc6386825ef671aea3622f3959ce58490325

SHA256
ae3462bc9b673880999005540a7a3add05a7b71f446f6b8ce121db985b0c251f

SHA512
6e3a242a34923b6c97284c80fa3c07b6a2c6870b4df8f6965e506a3a8425bc5f7360c8281e85b2e14cfae75905e33fac875b7e6f5e06b411e6d9b35b5dd82e3f

Download Submit