Analysis Overview
SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
Threat Level: Known bad
The file dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe was found to be: Known bad.
Malicious Activity Summary
Dharma family
Dharma
Deletes shadow copies
Renames multiple (310) files with added filename extension
Renames multiple (669) files with added filename extension
Downloads MZ/PE file
Checks computer location settings
Drops startup file
Credentials from Password Stores: Windows Credential Manager
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in System32 directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Modifies Internet Explorer settings
Interacts with shadow copies
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-11 21:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-11 21:41
Reported
2025-02-11 21:44
Platform
win7-20241010-en
Max time kernel
136s
Max time network
42s
Command Line
Signatures
Dharma
Dharma family
Deletes shadow copies
Renames multiple (310) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe = "C:\\Windows\\System32\\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe" | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Drops desktop.ini file(s)
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Windows\System32\Info.hta | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18254_.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107350.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgRes.dll.mui.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dts_plugin.dll.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00468_.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00452_.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SpaceSelector.ico | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187921.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\COPYRIGHT | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\More Games\it-IT\MoreGames.dll.mui.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\PortalConnect.dll.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\en-US\wmplayer.exe.mui | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185776.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02791_.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115863.GIF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_it.jar.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\README.html.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Adak | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Campo_Grande | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_alignleft.gif.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\SpiderSolitaire.exe.mui.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01474_.WMF | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Bogota | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Rome | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\ChkrRes.dll.mui.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\MEDCAT.DLL.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\MLCFG32.CPL.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\PREVIEW.GIF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\SaveConfirm.temp.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF.id-802C12A1.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe
"C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
Network
Files
memory/1740-0-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1740-1-0x000000000A8C0000-0x000000000A8F4000-memory.dmp
memory/1740-2-0x0000000000400000-0x000000000056F000-memory.dmp
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id-802C12A1.[[email protected]].ncov
| MD5 | f7473ee79ce69d1ad8750205fc778a1d |
| SHA1 | 54ee735a5de2f76568fc13ef90297f0f0f5e6ba0 |
| SHA256 | a72150e55259f889f99fb0b4042c3b978c7bc884a67311d98024aa2803c4ea32 |
| SHA512 | 98197fa64ac5e32d242c7dd2545b5895bb294ced4662c74cc9ea7bfbaf699ac30d54d4cacc4a7abe80cd0deffcf851401cd9960ec14b8ad0a4ae662864bde829 |
memory/1740-4394-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1740-4437-0x000000000A8C0000-0x000000000A8F4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
| MD5 | 1701cf1483273a74b51b08c46aecfa81 |
| SHA1 | e684f4e5097b75642d6164e4ba7fc001f5dc70b8 |
| SHA256 | 425c38795096dc2d4fbc1e58f7b7b049e2aa103b243c1fd933cf332dfb73f84d |
| SHA512 | e1695131644e40c39da595dfb131c6f06d3ef8163008b3a01984c2002da2828d11da30abc20494f72a6b5e830e82d821401f5cd95c45bf020b7762bc23f58b4e |
memory/3692-20171-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-11 21:41
Reported
2025-02-11 21:46
Platform
win10v2004-20250207-en
Max time kernel
270s
Max time network
273s
Command Line
Signatures
Dharma
Dharma family
Deletes shadow copies
Renames multiple (669) files with added filename extension
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe = "C:\\Windows\\System32\\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe" | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Drops desktop.ini file(s)
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Windows\System32\Info.hta | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_he.json | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\SmallTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\deploy\messages.properties.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\vi.pak.DATA | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\fr-FR\PhotoViewer.dll.mui | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\ext\jaccess.jar.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\_Resources\14.rsrc | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\as.pak.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\ui-strings.js.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.ONENOTE.16.1033.hxn | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\reduced_mode-2x.png.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-96_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\demux\libps_plugin.dll.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\MSFT_PackageManagementSource.schema.mfl.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.122.manifest.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\WindowsBase.dll | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Light.scale-125.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\manifest.json | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\sawindbg.dll | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-hover_32.svg | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libstl_plugin.dll | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\AdobePiStd.otf.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-250.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\jfxswt.jar.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_selected_18.svg | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.Proxies.dll | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\images\cursors\cursors.properties.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ppd.xrm-ms.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlInnerCircleHover.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\Informix.xsl | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\vccorlib140.dll.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl.id-3E87EF11.[[email protected]].ncov | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-125.png | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe
"C:\Users\Admin\AppData\Local\Temp\dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTkwOThGQkMtRDI4Mi00OUZFLUEzMUUtQzY3MTk1REYwNUUzfSIgdXNlcmlkPSJ7QThFNDQ1MUItMkU0Qi00RTFELUExODgtMkZGQ0E5QkE2MTA0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkNDMUI0Q0ItOEI0Ny00RUUzLTlFODUtQ0NDRTQyRDRCOUExfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NjM1Njk2MDc4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 4.155.164.36:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/1052-0-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1052-1-0x000000000ADC0000-0x000000000ADF4000-memory.dmp
memory/1052-3-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-3E87EF11.[[email protected]].ncov
| MD5 | 8e9f735591f37747f320a012fb3fc4fb |
| SHA1 | 8ee7ffb23770951670e1e8d3905316b675c35bc7 |
| SHA256 | 03feb1b54b48d534f60d21622f7d1f0e75670e94eacc23ad76735f4b16069492 |
| SHA512 | 1f96e13af0b7a6e00628c0cf3ea07919342e1539af182d312606515b2afe8abd1c50ec8e3ec735fd65300bb35e6f84b626b9431829c2508dce327349cada3149 |
memory/1052-13749-0x0000000000400000-0x000000000056F000-memory.dmp
memory/1052-18770-0x000000000ADC0000-0x000000000ADF4000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
| MD5 | 1618251420f3a2a2f62d4e8454a0a094 |
| SHA1 | 8af8ce12655b5f847b4d91e95bc5df16468792c9 |
| SHA256 | d8986b4e7519c8a40e1dba57d8f5c4058938692c62cf2cf8f2bf79265f56a3b7 |
| SHA512 | 9a8ebc9e51e0b428b588c80c6bee3d7d5e3164fc707b0d42eca73c90bf6f7d8ac74b62a52111f2bf834d1c844129dc843f1a306f90ff4f6ea303e5ae35f55ce5 |
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\msedgeupdate.dll
| MD5 | 40cd707dd3011a9845ff9c42256ea7e3 |
| SHA1 | 4045ae709979f75b1cf32142c1137b4be2ab9908 |
| SHA256 | 9f4c7072716e0be1be08207a7024a5e41162e288e677d805be8e5469a8bd4909 |
| SHA512 | bf1ada8a0d9c3d9f39fb739d05fc4a61f0a7e0e1bb5eb44e6f0f5f58381ee6d80aad89dbc3211b70a6294fc69d5820c70fa8488ef2f793a3710ecff5ee90422e |
C:\Users\Public\Desktop\FILES ENCRYPTED.txt
| MD5 | 21539971cae3b6278ce678b16b3f2643 |
| SHA1 | f4357280ca6838b0b62e610c6ffc24d1ab615e37 |
| SHA256 | b386715edcdb5fbb762f2308d588c5a67bfe65745105b87228596885e4715045 |
| SHA512 | 43f07a7df1bf14f76f60424219f00c051f4097f222f3b453cd208449f30e4915745300ad89f45a738bd828c7691fe97c0a16fa58115057d4ccf0e1784b46a7db |