Analysis
-
max time kernel
167s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 18:21
Static task
static1
Behavioral task
behavioral1
Sample
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe
Resource
win10v2004-20240226-en
General
-
Target
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe
-
Size
92KB
-
MD5
9dfcd5165fcbf89e319ceca3f5077490
-
SHA1
32fb887ad469eecfaeb66ff98d73da0edd9a7adc
-
SHA256
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875
-
SHA512
4e417f5ac6898bfe60c772270df06e14a452c1a731558a2e334ae1b09acd5928a042d3f17b07b86e773a559c4f173ec022015d4442062b4f53df8bb194356a7d
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4Ai5KS18YgmeMQq1NQDrorHikgd2ZLj:Qw+asqN5aW/hLqKS183iNyrorHi
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 1 IoCs
Processes:
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe = "C:\\Windows\\System32\\e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe" e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exedescription ioc process File opened for modification C:\Program Files\desktop.ini e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3808065738-1666277613-1125846146-1000\desktop.ini e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe -
Drops file in System32 directory 1 IoCs
Processes:
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exedescription ioc process File created C:\Windows\System32\e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exedescription ioc process File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\UIAutomationClient.resources.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Configuration.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Tasks.Dataflow.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\PresentationFramework.resources.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\7-Zip\Lang\co.txt.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.CompilerServices.VisualC.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\7-Zip\Lang\kab.txt.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\tipresx.dll.mui e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.MemoryMappedFiles.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\UIAutomationClientSideProviders.resources.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\WindowsFormsIntegration.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-libraryloader-l1-1-0.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Aero2.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.Win32.Primitives.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.Debug.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Http.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Data.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\PresentationUI.resources.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicstylish.dotx.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.Primitives.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.WebHeaderCollection.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Controls.Ribbon.resources.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\WindowsBase.resources.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\hostpolicy.dll.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Primitives.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemXml.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\CopyUnpublish.jpeg.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdasql.dll e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.id-F51EBE30.[decryptex@airmail.cc].dex e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1008 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exepid process 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2112 vssvc.exe Token: SeRestorePrivilege 2112 vssvc.exe Token: SeAuditPrivilege 2112 vssvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.execmd.exedescription pid process target process PID 1392 wrote to memory of 2524 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe cmd.exe PID 1392 wrote to memory of 2524 1392 e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe cmd.exe PID 2524 wrote to memory of 4564 2524 cmd.exe mode.com PID 2524 wrote to memory of 4564 2524 cmd.exe mode.com PID 2524 wrote to memory of 1008 2524 cmd.exe vssadmin.exe PID 2524 wrote to memory of 1008 2524 cmd.exe vssadmin.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe"C:\Users\Admin\AppData\Local\Temp\e181fb2c45e278661fbbf3fe9b4878e3d7bcee0873d7e1132e3808f10d3e4875.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-F51EBE30.[decryptex@airmail.cc].dexFilesize
2.9MB
MD5d8c3d1864df83a5a676e91f8529c429d
SHA1a25c364da3d54b1fe9229e44f837267d15a1a78c
SHA25695d0835ab67675e8be16199f9669c7c4fcf8f2b969e32dd578f0ba3a294e4a04
SHA51266a096437d85d9bc93eebff8bbe7cd731f2f51ad3c5740bf0a5bf276887976fbd3744585b044ac4a3db2df51e7c983c0f5a64bad86863b450bdbdbaba3e84371