dharma | 398941db66c552980d795e0351fd5e795634acb6f5e58d24e0611871c2cc7a3b

General

Target

2_exx_20200220.exe
Size

212KB
MD5

9af53d8ea548837e6c230630bad1fe9a
SHA1

88f727b694396b5c52cb3b63ad08d1232771a4e2
SHA256

398941db66c552980d795e0351fd5e795634acb6f5e58d24e0611871c2cc7a3b
SHA512

256ec0b394fe971a6833f1239b6776f5ead5baf5ac3ca699e1c44f127dba7fcddb85db79cc3c64608163247811ebc8fbf58a67c5661607349d86c497863d504c

Score

10^/10

persistence ransomware dharma

Malware Config

Signatures

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Drops startup file 6 IoCs

Processes:

2_exx_20200220.exe

description	ioc	process
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2_exx_20200220.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	2_exx_20200220.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2_exx_20200220.exe	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2_exx_20200220.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe

Drops file in Program Files directory 42836 IoCs

Processes:

2_exx_20200220.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-hover_32.svg.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\ui-strings.js.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-16_altform-unplated.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\miniinfoblue_16x16x32.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\XboxApp.Model\sqlite3.dll	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-125.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner_dark2x.gif	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-multibyte-l1-1-0.dll.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsSplashLogo.scale-140.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarWideTile.scale-400.png	2_exx_20200220.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\ui-strings.js	2_exx_20200220.exe
File deleted	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui	2_exx_20200220.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms	2_exx_20200220.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_duplicate_18.svg.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\msipc.dll.mui.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File renamed	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe => C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\release	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms	2_exx_20200220.exe
File deleted	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2-2x.gif	2_exx_20200220.exe
File deleted	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_1d.png	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_24x24x32.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_altform-unplated_contrast-black.png	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.1.25002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\si_16x11.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File deleted	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms	2_exx_20200220.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookSmallTile.scale-200.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-250.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-unplated.png	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\selector.js.id-77449537.[[email protected]].ROGER	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\WesternDeck4.jpg	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-100.png	2_exx_20200220.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-400.png	2_exx_20200220.exe
File deleted	C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll	2_exx_20200220.exe

Suspicious behavior: EnumeratesProcesses 568 IoCs

Processes:

2_exx_20200220.exe

pid	process
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe
1812	2_exx_20200220.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3796 vssvc.exe
Token: SeRestorePrivilege 3796 vssvc.exe
Token: SeAuditPrivilege 3796 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3796	vssvc.exe
Token: SeRestorePrivilege	3796	vssvc.exe
Token: SeAuditPrivilege	3796	vssvc.exe

Adds Run entry to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2_exx_20200220.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	2_exx_20200220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2_exx_20200220.exe = "C:\\Windows\\System32\\2_exx_20200220.exe"	2_exx_20200220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	2_exx_20200220.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

3104 vssadmin.exe
2892 vssadmin.exe
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Drops file in System32 directory 2 IoCs

Processes:

2_exx_20200220.exe

description ioc process

File created C:\Windows\System32\2_exx_20200220.exe 2_exx_20200220.exe
File created C:\Windows\System32\Info.hta 2_exx_20200220.exe

pid	process
3104	vssadmin.exe
2892	vssadmin.exe

description	ioc	process
File created	C:\Windows\System32\2_exx_20200220.exe	2_exx_20200220.exe
File created	C:\Windows\System32\Info.hta	2_exx_20200220.exe

Drops desktop.ini 142 IoCs

Processes:

2_exx_20200220.exe

description	ioc	process
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Music\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\Music\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\Documents\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	2_exx_20200220.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-638615289-2068236702-2426684043-1000\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Videos\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\AccountPictures\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Program Files\desktop.ini	2_exx_20200220.exe
File deleted	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\Contacts\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	2_exx_20200220.exe
File deleted	C:\$Recycle.Bin\S-1-5-21-638615289-2068236702-2426684043-1000\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Public\Desktop\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2_exx_20200220.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2_exx_20200220.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2_exx_20200220.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2_exx_20200220.exe

description	pid	process	target process
PID 1812 wrote to memory of 3924	1812	2_exx_20200220.exe	cmd.exe
PID 1812 wrote to memory of 3924	1812	2_exx_20200220.exe	cmd.exe
PID 1812 wrote to memory of 748	1812	2_exx_20200220.exe	cmd.exe
PID 1812 wrote to memory of 748	1812	2_exx_20200220.exe	cmd.exe
PID 1812 wrote to memory of 3024	1812	2_exx_20200220.exe	mshta.exe
PID 1812 wrote to memory of 3024	1812	2_exx_20200220.exe	mshta.exe
PID 1812 wrote to memory of 3064	1812	2_exx_20200220.exe	mshta.exe
PID 1812 wrote to memory of 3064	1812	2_exx_20200220.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\2_exx_20200220.exe
"C:\Users\Admin\AppData\Local\Temp\2_exx_20200220.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
- Drops file in System32 directory
- Drops desktop.ini
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:3924
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2812
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3104
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:748
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2276
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2892
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:3024
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  PID:3064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:3796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
memory/1812-0-0x0000000004B41000-0x0000000004B42000-memory.dmp

Filesize
4KB

Download
memory/1812-1-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads