Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/02/2025, 10:39
250205-mp5e7asphz 1022/06/2024, 21:31
240622-1day4avdlf 1022/06/2024, 18:34
240622-w77gyatbmp 1022/06/2024, 16:29
240622-tzbn7athrg 10Analysis
-
max time kernel
130s -
max time network
83s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22/06/2024, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
RansomWin32.Wadhrama!pz.exe
Resource
win10-20240404-en
General
-
Target
RansomWin32.Wadhrama!pz.exe
-
Size
92KB
-
MD5
56ba37144bd63d39f23d25dae471054e
-
SHA1
088e2aff607981dfe5249ce58121ceae0d1db577
-
SHA256
307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3
-
SHA512
6e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4A40fMnvzbBb3b2wKbs1V3Mr:Qw+asqN5aW/hLdMvzbMlUK
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (454) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini RansomWin32.Wadhrama!pz.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta RansomWin32.Wadhrama!pz.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RansomWin32.Wadhrama!pz.exe RansomWin32.Wadhrama!pz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RansomWin32.Wadhrama!pz.exe = "C:\\Windows\\System32\\RansomWin32.Wadhrama!pz.exe" RansomWin32.Wadhrama!pz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" RansomWin32.Wadhrama!pz.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" RansomWin32.Wadhrama!pz.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Desktop\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Documents\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3699363923-1875576828-3287151903-1000\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Music\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Pictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Documents\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Music\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Searches\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Videos\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Videos\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\Links\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3699363923-1875576828-3287151903-1000\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Public\Libraries\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini RansomWin32.Wadhrama!pz.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini RansomWin32.Wadhrama!pz.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\Info.hta RansomWin32.Wadhrama!pz.exe File created C:\Windows\System32\RansomWin32.Wadhrama!pz.exe RansomWin32.Wadhrama!pz.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons.png RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-80_altform-unplated_contrast-black.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\11s.png RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-pl.xrm-ms.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-150.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] RansomWin32.Wadhrama!pz.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libinteger_mixer_plugin.dll.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-100.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-125.png RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-stdio-l1-1-0.dll.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-40.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSmallTile.scale-200.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxSignature.p7x RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10910_24x24x32.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.scale-100.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-default_32.svg.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\MedTile.scale-125.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\ui-strings.js RansomWin32.Wadhrama!pz.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ko.dll.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\Welcome.html.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-oob.xrm-ms.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-150.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\SmallLogo.scale-200.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\ui-strings.js.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1725_20x20x32.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_CarReservation.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\ui-strings.js.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.INF.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-hover_32.svg.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons.png.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\ui-strings.js RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\MainPage\bronzeIcon.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\Windows Photo Viewer\fr-FR\PhotoAcq.dll.mui RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5511_48x48x32.png RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\liblibmpeg2_plugin.dll.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\mpvis.dll.mui RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee.dll.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Windows.Presentation.resources.dll RansomWin32.Wadhrama!pz.exe File created C:\Program Files\7-Zip\descript.ion.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.id-BB2E4EFA.[[email protected]].BOMBO RansomWin32.Wadhrama!pz.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-200.png RansomWin32.Wadhrama!pz.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 8132 vssadmin.exe 1216 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe 5000 RansomWin32.Wadhrama!pz.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeBackupPrivilege 5256 vssvc.exe Token: SeRestorePrivilege 5256 vssvc.exe Token: SeAuditPrivilege 5256 vssvc.exe Token: SeDebugPrivilege 5792 taskmgr.exe Token: SeSystemProfilePrivilege 5792 taskmgr.exe Token: SeCreateGlobalPrivilege 5792 taskmgr.exe Token: 33 5792 taskmgr.exe Token: SeIncBasePriorityPrivilege 5792 taskmgr.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe 5792 taskmgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 5000 wrote to memory of 4192 5000 RansomWin32.Wadhrama!pz.exe 75 PID 5000 wrote to memory of 4192 5000 RansomWin32.Wadhrama!pz.exe 75 PID 4192 wrote to memory of 3948 4192 cmd.exe 77 PID 4192 wrote to memory of 3948 4192 cmd.exe 77 PID 4192 wrote to memory of 1216 4192 cmd.exe 78 PID 4192 wrote to memory of 1216 4192 cmd.exe 78 PID 5000 wrote to memory of 2308 5000 RansomWin32.Wadhrama!pz.exe 82 PID 5000 wrote to memory of 2308 5000 RansomWin32.Wadhrama!pz.exe 82 PID 2308 wrote to memory of 5696 2308 cmd.exe 84 PID 2308 wrote to memory of 5696 2308 cmd.exe 84 PID 2308 wrote to memory of 8132 2308 cmd.exe 85 PID 2308 wrote to memory of 8132 2308 cmd.exe 85 PID 5000 wrote to memory of 6208 5000 RansomWin32.Wadhrama!pz.exe 86 PID 5000 wrote to memory of 6208 5000 RansomWin32.Wadhrama!pz.exe 86 PID 5000 wrote to memory of 7944 5000 RansomWin32.Wadhrama!pz.exe 87 PID 5000 wrote to memory of 7944 5000 RansomWin32.Wadhrama!pz.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RansomWin32.Wadhrama!pz.exe"C:\Users\Admin\AppData\Local\Temp\RansomWin32.Wadhrama!pz.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:3948
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1216
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:5696
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:8132
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:6208
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:7944
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5256
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\639a246d200b47feb0fb39f12ed71616 /t 6128 /p 62081⤵PID:5512
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5792
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt1⤵PID:6392
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-BB2E4EFA.[[email protected]].BOMBO
Filesize2.7MB
MD542e0621f928b15cdcdfab37545a0e36a
SHA1a8dc3910ec046d7bd60e522befba7e4317920315
SHA2569d92b0acb06db45984bf199f666feea1fbc07ff4439ba8df776d0ae4cec0b3d0
SHA512cafc0c13c38329e4e12e3123f0c729aa52d0d81f3f58e8f5d49518804573910cccc29f775fea4ac396d258c59831bd0f85c4c5439f65a807fd657ec516dce047
-
Filesize
7KB
MD5b1523328e170663bdd38412044a9b17b
SHA1070d69b95a8eee1e32d40210b6dee3b1598627b0
SHA256f2249503058414f820b9f2c9bf42cd66436e0cb6553d00f82b4848293f54257d
SHA5129f0ada856277d297f3f08a77aabac26ceab57771189a0bf16e18b43b55e086a3eca916d9365c7530fcd2d330200f04947babd3d742d574f8b74bc8dd078eba78
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RansomWin32.Wadhrama!pz.exe
Filesize92KB
MD556ba37144bd63d39f23d25dae471054e
SHA1088e2aff607981dfe5249ce58121ceae0d1db577
SHA256307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3
SHA5126e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0
-
Filesize
186B
MD5f35b4642a236f85db1ba463d3a963456
SHA1be582d9b5bf5c541762a6e640ec1a7b12532caba
SHA256fc601390d8bc19ac881314b8f18ce320dde6d2c306080021b804106bc7cac409
SHA512a0c84412425f7f5bb120bec68b2920fb1177cc3c9630c32881b2bf83ed5926492a1801536f5a57d1fa0fbbb09ced216a518ae4e49395e13e33245792ec48b5a7