dharma | 398941db66c552980d795e0351fd5e795634acb6f5e58d24e0611871c2cc7a3b

General

Target

2_exx_20200220.exe
Size

212KB
MD5

9af53d8ea548837e6c230630bad1fe9a
SHA1

88f727b694396b5c52cb3b63ad08d1232771a4e2
SHA256

398941db66c552980d795e0351fd5e795634acb6f5e58d24e0611871c2cc7a3b
SHA512

256ec0b394fe971a6833f1239b6776f5ead5baf5ac3ca699e1c44f127dba7fcddb85db79cc3c64608163247811ebc8fbf58a67c5661607349d86c497863d504c

Score

10^/10

persistence ransomware dharma

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Drops file in System32 directory 2 IoCs

Processes:

2_exx_20200220.exe

description ioc process

File created C:\Windows\System32\2_exx_20200220.exe 2_exx_20200220.exe
File created C:\Windows\System32\Info.hta 2_exx_20200220.exe

description	ioc	process
File created	C:\Windows\System32\2_exx_20200220.exe	2_exx_20200220.exe
File created	C:\Windows\System32\Info.hta	2_exx_20200220.exe

Adds Run entry to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2_exx_20200220.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2_exx_20200220.exe = "C:\\Windows\\System32\\2_exx_20200220.exe"	2_exx_20200220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	2_exx_20200220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	2_exx_20200220.exe

Drops startup file 6 IoCs

Processes:

2_exx_20200220.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2_exx_20200220.exe	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2_exx_20200220.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2_exx_20200220.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	2_exx_20200220.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2016 vssadmin.exe
1664 vssadmin.exe

pid	process
2016	vssadmin.exe
1664	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 277 IoCs

Processes:

2_exx_20200220.exe

pid	process
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe
1848	2_exx_20200220.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

2_exx_20200220.exe

description	pid	process	target process
PID 1848 wrote to memory of 1868	1848	2_exx_20200220.exe	cmd.exe
PID 1848 wrote to memory of 1868	1848	2_exx_20200220.exe	cmd.exe
PID 1848 wrote to memory of 1868	1848	2_exx_20200220.exe	cmd.exe
PID 1848 wrote to memory of 1868	1848	2_exx_20200220.exe	cmd.exe
PID 1848 wrote to memory of 1592	1848	2_exx_20200220.exe	cmd.exe
PID 1848 wrote to memory of 1592	1848	2_exx_20200220.exe	cmd.exe
PID 1848 wrote to memory of 1592	1848	2_exx_20200220.exe	cmd.exe
PID 1848 wrote to memory of 1592	1848	2_exx_20200220.exe	cmd.exe
PID 1848 wrote to memory of 1032	1848	2_exx_20200220.exe	mshta.exe
PID 1848 wrote to memory of 1032	1848	2_exx_20200220.exe	mshta.exe
PID 1848 wrote to memory of 1032	1848	2_exx_20200220.exe	mshta.exe
PID 1848 wrote to memory of 1032	1848	2_exx_20200220.exe	mshta.exe
PID 1848 wrote to memory of 948	1848	2_exx_20200220.exe	mshta.exe
PID 1848 wrote to memory of 948	1848	2_exx_20200220.exe	mshta.exe
PID 1848 wrote to memory of 948	1848	2_exx_20200220.exe	mshta.exe
PID 1848 wrote to memory of 948	1848	2_exx_20200220.exe	mshta.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Drops desktop.ini 156 IoCs

Processes:

2_exx_20200220.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\149Z7I96\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Desktop\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Libraries\desktop.ini	2_exx_20200220.exe
File deleted	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\Contacts\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Program Files\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DZTNHC1N\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Music\Sample Music\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\Favorites\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\Videos\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CH201OQ7\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Documents\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1848298919-2336104428-4012071465-1000\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4BOE1AJG\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MV0POAJ0\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Music\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Videos\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Downloads\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\Music\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2_exx_20200220.exe
File deleted	C:\Program Files (x86)\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2_exx_20200220.exe

Drops file in Program Files directory 35516 IoCs

Processes:

2_exx_20200220.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\OUTLPERF.INI.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Java\jre7\lib\zi\SystemV\PST8PDT	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\MSOUC_K_COL.HXK.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00673L.GIF.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceAmharic.txt	2_exx_20200220.exe
File renamed	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF => C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\SETUP.XML.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BD08808_.WMF	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SL01041_.WMF.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN01308_.WMF.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml	2_exx_20200220.exe
File deleted	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\OMSINTL.DLL.IDX_DLL	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\TWORIENT.DLL	2_exx_20200220.exe
File deleted	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.THD	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid.gif	2_exx_20200220.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png	2_exx_20200220.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Adak	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105298.WMF	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME52.CSS	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0251007.WMF.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\NEWS98.POC.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\background.gif	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\APPTS.ICO.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d11_plugin.dll.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00050_.WMF.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\SCDRESPL.ICO.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	2_exx_20200220.exe
File deleted	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\background.gif.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF	2_exx_20200220.exe
File deleted	C:\Program Files\7-Zip\Lang\fr.txt	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0105348.WMF	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107258.WMF	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107724.WMF.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BABY_01.MID.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\Office14\Groove\ToolIcons\OutSyncPC.ico	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF	2_exx_20200220.exe
File deleted	C:\Program Files\Common Files\Microsoft Shared\THEMES14\QUAD\THMBNAIL.PNG	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Theme Colors\Module.xml	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\LINES\BD21307_.GIF.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Java\jre7\lib\net.properties.id-A8CA7411.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Java\jre7\lib\zi\Pacific\Wake	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME18.CSS	2_exx_20200220.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2040 vssvc.exe
Token: SeRestorePrivilege 2040 vssvc.exe
Token: SeAuditPrivilege 2040 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2040	vssvc.exe
Token: SeRestorePrivilege	2040	vssvc.exe
Token: SeAuditPrivilege	2040	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\2_exx_20200220.exe
"C:\Users\Admin\AppData\Local\Temp\2_exx_20200220.exe"
1⤵
- Drops file in System32 directory
- Adds Run entry to start application
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops desktop.ini
- Drops file in Program Files directory
PID:1848

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:1868

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2000

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2016

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:1592

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1652

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1664

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:1032

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
memory/1848-0-0x00000000002E9000-0x00000000002EA000-memory.dmp

Filesize
4KB

Download
memory/1848-1-0x0000000004C90000-0x0000000004CA1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads