Analysis
-
max time kernel
960s -
max time network
787s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Ransom;Win32.Wadhrama!pz.exe
Resource
win10-20240404-en
windows10-1703-x64
15 signatures
60 seconds
Behavioral task
behavioral2
Sample
Ransom;Win32.Wadhrama!pz.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
16 signatures
60 seconds
Behavioral task
behavioral3
Sample
Ransom;Win32.Wadhrama!pz.exe
Resource
win11-20240508-en
windows11-21h2-x64
17 signatures
60 seconds
General
-
Target
Ransom;Win32.Wadhrama!pz.exe
-
Size
92KB
-
MD5
56ba37144bd63d39f23d25dae471054e
-
SHA1
088e2aff607981dfe5249ce58121ceae0d1db577
-
SHA256
307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3
-
SHA512
6e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4A40fMnvzbBb3b2wKbs1V3Mr:Qw+asqN5aW/hLdMvzbMlUK
Malware Config
Extracted
Path
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link: email [email protected] YOUR ID
If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected]
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (515) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Ransom;Win32.Wadhrama!pz.exe -
Drops startup file 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ransom;Win32.Wadhrama!pz.exe Ransom;Win32.Wadhrama!pz.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ransom;Win32.Wadhrama!pz.exe.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ransom;Win32.Wadhrama!pz.exe.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta Ransom;Win32.Wadhrama!pz.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ransom;Win32.Wadhrama!pz.exe Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Ransom;Win32.Wadhrama!pz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ransom;Win32.Wadhrama!pz.exe = "C:\\Windows\\System32\\Ransom;Win32.Wadhrama!pz.exe" Ransom;Win32.Wadhrama!pz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" Ransom;Win32.Wadhrama!pz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" Ransom;Win32.Wadhrama!pz.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Music\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Music\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Public\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Documents\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Links\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-4124900551-4068476067-3491212533-1000\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Ransom;Win32.Wadhrama!pz.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\Ransom;Win32.Wadhrama!pz.exe Ransom;Win32.Wadhrama!pz.exe File created C:\Windows\System32\Info.hta Ransom;Win32.Wadhrama!pz.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-black.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\ui-strings.js Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\vreg\osmux.x-none.msi.16.x-none.vreg.dat.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-16_altform-unplated.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-hover_32.svg.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\ui-strings.js.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\ui-strings.js.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\Logo.png.DATA Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\th_get.svg Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Annotations.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125_contrast-white.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-200_contrast-black.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\preloaded_data.pb.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\ui-strings.js.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Staging.DATA.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\7-Zip\descript.ion.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-200.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\SmallTile.scale-100.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_altform-unplated_contrast-white.png Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-hover_32.svg.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TraceSource.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-200.png Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlInnerCircleHover.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.dll Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-100.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsWideTile.contrast-black_scale-125.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\Doughboy.scale-150.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlFrontIndicator.png Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.NameResolution.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_empty_state.svg.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main.css Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-125.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-20_altform-unplated.png Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\example_icons.png.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32_altform-unplated.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\MedTile.scale-100.png Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libcache_block_plugin.dll Ransom;Win32.Wadhrama!pz.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\WindowsFormsIntegration.resources.dll.id-CE5AC8E7.[[email protected]].BOMBO Ransom;Win32.Wadhrama!pz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 8748 vssadmin.exe 3488 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe 4808 Ransom;Win32.Wadhrama!pz.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1928 vssvc.exe Token: SeRestorePrivilege 1928 vssvc.exe Token: SeAuditPrivilege 1928 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4808 wrote to memory of 1136 4808 Ransom;Win32.Wadhrama!pz.exe 82 PID 4808 wrote to memory of 1136 4808 Ransom;Win32.Wadhrama!pz.exe 82 PID 1136 wrote to memory of 3520 1136 cmd.exe 84 PID 1136 wrote to memory of 3520 1136 cmd.exe 84 PID 1136 wrote to memory of 3488 1136 cmd.exe 86 PID 1136 wrote to memory of 3488 1136 cmd.exe 86 PID 4808 wrote to memory of 3172 4808 Ransom;Win32.Wadhrama!pz.exe 92 PID 4808 wrote to memory of 3172 4808 Ransom;Win32.Wadhrama!pz.exe 92 PID 3172 wrote to memory of 2040 3172 cmd.exe 94 PID 3172 wrote to memory of 2040 3172 cmd.exe 94 PID 4808 wrote to memory of 7464 4808 Ransom;Win32.Wadhrama!pz.exe 95 PID 4808 wrote to memory of 7464 4808 Ransom;Win32.Wadhrama!pz.exe 95 PID 3172 wrote to memory of 8748 3172 cmd.exe 96 PID 3172 wrote to memory of 8748 3172 cmd.exe 96 PID 4808 wrote to memory of 3912 4808 Ransom;Win32.Wadhrama!pz.exe 97 PID 4808 wrote to memory of 3912 4808 Ransom;Win32.Wadhrama!pz.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ransom;Win32.Wadhrama!pz.exe"C:\Users\Admin\AppData\Local\Temp\Ransom;Win32.Wadhrama!pz.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:3520
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3488
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2040
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:8748
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:7464
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:3912
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-CE5AC8E7.[[email protected]].BOMBO
Filesize2.7MB
MD5bb9523b78149aba9a86cd637cc11b898
SHA1953979d4640b93c91db60d32a14098804d2f31f0
SHA256d3a095a30c96e1af714c0ad98272edb29fb2a0d893cd5d1e1e8e6782ee26bff9
SHA5125c4f1c21ae0c8882e8883acb6f6434d9b0bc7e43c837563d305b821d9e78839f2340592b7947e8d61f92eb7f3d8def80ee6a85bd006e7b159898b96f52a2426e
-
Filesize
7KB
MD5d85bde7d3d29e87befefac9780d5f0b7
SHA1b7e97265a3507f70f80530a86ab44bb044e3b2db
SHA256a19877886778da62119d032a59e2855154e04b3979e05b0b6f01ea1fadb0b8e7
SHA51273462976771f1ecd678358ffd631c956201a76bb4656d78d8b9c2bb076a2fa621a755d8244e3c430314ff53e7682c8ca511305a5e6d78d570ed2632a76e8f443