Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/02/2025, 10:39
250205-mp5e7asphz 1022/06/2024, 21:31
240622-1day4avdlf 1022/06/2024, 18:34
240622-w77gyatbmp 1022/06/2024, 16:29
240622-tzbn7athrg 10Analysis
-
max time kernel
155s -
max time network
139s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22/06/2024, 21:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
RansomWin32.Wadhrama!pz.exe
Resource
win10-20240404-en
windows10-1703-x64
20 signatures
150 seconds
General
-
Target
RansomWin32.Wadhrama!pz.exe
-
Size
92KB
-
MD5
56ba37144bd63d39f23d25dae471054e
-
SHA1
088e2aff607981dfe5249ce58121ceae0d1db577
-
SHA256
307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3
-
SHA512
6e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4A40fMnvzbBb3b2wKbs1V3Mr:Qw+asqN5aW/hLdMvzbMlUK
Malware Config
Extracted
Path
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link: email [email protected] YOUR ID
If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected]
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (442) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 6 IoCs
description ioc Process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RansomWin32.Wadhrama!pz.exe RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini RansomWin32.Wadhrama!pz.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta RansomWin32.Wadhrama!pz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RansomWin32.Wadhrama!pz.exe = "C:\\Windows\\System32\\RansomWin32.Wadhrama!pz.exe" RansomWin32.Wadhrama!pz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" RansomWin32.Wadhrama!pz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" RansomWin32.Wadhrama!pz.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Music\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Pictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Documents\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Documents\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Videos\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Music\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Libraries\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Downloads\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3968772205-1713802336-1776639840-1000\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Links\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Desktop\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Searches\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini RansomWin32.Wadhrama!pz.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\Info.hta RansomWin32.Wadhrama!pz.exe File created C:\Windows\System32\RansomWin32.Wadhrama!pz.exe RansomWin32.Wadhrama!pz.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxSignature.p7x RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sybase.xsl.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\FreeCell\freecellassets.xml RansomWin32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\ui-strings.js.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\wsdetect.dll RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-200.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\ui-strings.js RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\ui-strings.js.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\StoreLogo.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Resume.m4a RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-400.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png RansomWin32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\ui-strings.js RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-125.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_share_18.svg.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\ui-strings.js.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\main.css.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ko.dll RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\WideTile.scale-100.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\AppxSignature.p7x RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Java\jre-1.8\lib\security\java.policy.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dcpr.dll RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\uk-UA\oledb32r.dll.mui RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEES.DLL.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ao_16x11.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\odffilt.dll.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\ui-strings.js.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat RansomWin32.Wadhrama!pz.exe File created C:\Program Files\VideoLAN\VLC\npvlc.dll.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_pt_BR.properties RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-30_altform-unplated_contrast-white.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-125.png RansomWin32.Wadhrama!pz.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_de.dll.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-ppd.xrm-ms RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderWideTile.scale-100.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-150_contrast-white.png RansomWin32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul-oob.xrm-ms.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat.id-78D11328.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1520 vssadmin.exe 8008 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe 5032 RansomWin32.Wadhrama!pz.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 6636 vssvc.exe Token: SeRestorePrivilege 6636 vssvc.exe Token: SeAuditPrivilege 6636 vssvc.exe Token: SeDebugPrivilege 5848 taskmgr.exe Token: SeSystemProfilePrivilege 5848 taskmgr.exe Token: SeCreateGlobalPrivilege 5848 taskmgr.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
pid Process 4820 NOTEPAD.EXE 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe -
Suspicious use of SendNotifyMessage 51 IoCs
pid Process 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe 5848 taskmgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 5032 wrote to memory of 864 5032 RansomWin32.Wadhrama!pz.exe 72 PID 5032 wrote to memory of 864 5032 RansomWin32.Wadhrama!pz.exe 72 PID 864 wrote to memory of 6088 864 cmd.exe 74 PID 864 wrote to memory of 6088 864 cmd.exe 74 PID 864 wrote to memory of 1520 864 cmd.exe 75 PID 864 wrote to memory of 1520 864 cmd.exe 75 PID 5032 wrote to memory of 6052 5032 RansomWin32.Wadhrama!pz.exe 79 PID 5032 wrote to memory of 6052 5032 RansomWin32.Wadhrama!pz.exe 79 PID 6052 wrote to memory of 6040 6052 cmd.exe 81 PID 6052 wrote to memory of 6040 6052 cmd.exe 81 PID 6052 wrote to memory of 8008 6052 cmd.exe 82 PID 6052 wrote to memory of 8008 6052 cmd.exe 82 PID 5032 wrote to memory of 7864 5032 RansomWin32.Wadhrama!pz.exe 83 PID 5032 wrote to memory of 7864 5032 RansomWin32.Wadhrama!pz.exe 83 PID 5032 wrote to memory of 7912 5032 RansomWin32.Wadhrama!pz.exe 84 PID 5032 wrote to memory of 7912 5032 RansomWin32.Wadhrama!pz.exe 84 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomWin32.Wadhrama!pz.exe"C:\Users\Admin\AppData\Local\Temp\RansomWin32.Wadhrama!pz.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:6088
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1520
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:6052 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:6040
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:8008
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:7864
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:7912
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6636
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\63c9efa496254ba4a8a09d71c8f28db4 /t 8152 /p 79121⤵PID:7236
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt1⤵
- Suspicious use of FindShellTrayWindow
PID:4820
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5848
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-78D11328.[[email protected]].BOMBO
Filesize3.2MB
MD532d489cb3d4996eb047b1451644f1d6f
SHA1f01708322cd9235f01c454bb2d9535450b5bffca
SHA2568493ca01a0563b6957bb3adf24ac73294141cb3f12d5b945594ac36d3adc82fd
SHA5122b8db7a274c8fd6465892e69d557d69b1e0aeaac033ef670f8897c9e19ba161cf93a597b8f1a3bdc25ca00b81dd9f8e666d886b4b818b4e6f0b707d8c237ae59
-
Filesize
7KB
MD5900f4d80d9979d680e4a1b7ecea122ac
SHA1846fb6133013c681851c6d2c9557b5dfdef54674
SHA2563e737d0b44f93c27f5257e859078118dfa1751095602984296ccf4429535ead1
SHA51218c134ccc4dd1b64915ed958bf9afc263983323f139cc1f931895500f592adf0e8375e05cd3acd8d0f942b96fc48218f4f1d1425b616fce59a2a12c131b114a5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RansomWin32.Wadhrama!pz.exe
Filesize92KB
MD556ba37144bd63d39f23d25dae471054e
SHA1088e2aff607981dfe5249ce58121ceae0d1db577
SHA256307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3
SHA5126e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0
-
Filesize
186B
MD5f35b4642a236f85db1ba463d3a963456
SHA1be582d9b5bf5c541762a6e640ec1a7b12532caba
SHA256fc601390d8bc19ac881314b8f18ce320dde6d2c306080021b804106bc7cac409
SHA512a0c84412425f7f5bb120bec68b2920fb1177cc3c9630c32881b2bf83ed5926492a1801536f5a57d1fa0fbbb09ced216a518ae4e49395e13e33245792ec48b5a7