dharma | e264b1a0c00bcb0329845d7155bd540dfe3909f8bf72d2572db0f56bdcbb99ed

General

Target

RapeD.exe
Size

92KB
MD5

b709b29f7b84533ad0899a6fb739f0d1
SHA1

9649c54ef995f14f702191c618221331d1058c38
SHA256

e264b1a0c00bcb0329845d7155bd540dfe3909f8bf72d2572db0f56bdcbb99ed
SHA512

d45b583dd5b6fbe6b2360526e94df2d105f4019aef60f8f224a3ef462dd058e4d8de1ddbded8284e05487341760f92e9468cabc15a9d93b38b86cc89bce97fb5

Score

10^/10

ransomware dharma persistence spyware

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1820 vssvc.exe
Token: SeRestorePrivilege 1820 vssvc.exe
Token: SeAuditPrivilege 1820 vssvc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

mshta.exe

pid process

1464 mshta.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

description	pid	process
Token: SeBackupPrivilege	1820	vssvc.exe
Token: SeRestorePrivilege	1820	vssvc.exe
Token: SeAuditPrivilege	1820	vssvc.exe

pid	process
1464	mshta.exe

Suspicious behavior: EnumeratesProcesses 285 IoCs

Processes:

RapeD.exe

pid	process
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe
1032	RapeD.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

RapeD.exe

description	pid	process	target process
PID 1032 wrote to memory of 916	1032	RapeD.exe	cmd.exe
PID 1032 wrote to memory of 916	1032	RapeD.exe	cmd.exe
PID 1032 wrote to memory of 916	1032	RapeD.exe	cmd.exe
PID 1032 wrote to memory of 916	1032	RapeD.exe	cmd.exe
PID 1032 wrote to memory of 2036	1032	RapeD.exe	cmd.exe
PID 1032 wrote to memory of 2036	1032	RapeD.exe	cmd.exe
PID 1032 wrote to memory of 2036	1032	RapeD.exe	cmd.exe
PID 1032 wrote to memory of 2036	1032	RapeD.exe	cmd.exe
PID 1032 wrote to memory of 1464	1032	RapeD.exe	mshta.exe
PID 1032 wrote to memory of 1464	1032	RapeD.exe	mshta.exe
PID 1032 wrote to memory of 1464	1032	RapeD.exe	mshta.exe
PID 1032 wrote to memory of 1464	1032	RapeD.exe	mshta.exe
PID 1032 wrote to memory of 1780	1032	RapeD.exe	mshta.exe
PID 1032 wrote to memory of 1780	1032	RapeD.exe	mshta.exe
PID 1032 wrote to memory of 1780	1032	RapeD.exe	mshta.exe
PID 1032 wrote to memory of 1780	1032	RapeD.exe	mshta.exe

Drops startup file 5 IoCs

Processes:

RapeD.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RapeD.exe	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	RapeD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	RapeD.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Drops desktop.ini file(s) 77 IoCs

Processes:

RapeD.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	RapeD.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5Q8AAMSB\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1IGGBW8Z\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	RapeD.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\557LH6Z9\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XGJ27KX4\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	RapeD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OT4YD26O\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	RapeD.exe
File opened for modification	C:\Program Files\desktop.ini	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	RapeD.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	RapeD.exe

Drops file in Program Files directory 27842 IoCs

Processes:

RapeD.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORM.DLL	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_file_plugin.dll	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\OUTLOOK.DEV_COL.HXC	RapeD.exe
File opened for modification	C:\Program Files\Microsoft SQL Server Compact Edition\v3.5\sqlcese35.dll	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VVIEWDWG.DLL.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_sun.png	RapeD.exe
File created	C:\Program Files\VideoLAN\VLC\skins\skin.catalog.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TR00232_.WMF.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18182_.WMF.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\Office14\CONTAB32.DLL.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00103_.GIF	RapeD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_display_plugin.dll	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.CSS.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Concourse.thmx.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF	RapeD.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01180_.WMF.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0299587.WMF	RapeD.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\gadget.xml	RapeD.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll	RapeD.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png	RapeD.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Teal.css.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\vlc.mo.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD00403_.WMF.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar	RapeD.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\GRDEN_01.MID.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	RapeD.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\OSETUPUI.DLL	RapeD.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_over.png	RapeD.exe
File created	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGLBL110.XML.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0241041.WMF.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Tripoli.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javaws.policy	RapeD.exe
File created	C:\Program Files\Microsoft Office\Office14\BCSRuntimeUI.dll.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\Office14\FORMS\1033\POSTITL.ICO.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME54.CSS.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	RapeD.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.id-3B14217B.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Java\jre7\bin\awt.dll.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00235_.WMF.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02426_.WMF	RapeD.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.id-3B14217B.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PAGESIZE\PGMN111.XML.id-3B14217B.[[email protected]].harma	RapeD.exe

Adds Run entry to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RapeD.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	RapeD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	RapeD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RapeD.exe = "C:\\Windows\\System32\\RapeD.exe"	RapeD.exe

Drops file in System32 directory 2 IoCs

Processes:

RapeD.exe

description ioc process

File created C:\Windows\System32\RapeD.exe RapeD.exe
File created C:\Windows\System32\Info.hta RapeD.exe
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1788 vssadmin.exe
1264 vssadmin.exe

description	ioc	process
File created	C:\Windows\System32\RapeD.exe	RapeD.exe
File created	C:\Windows\System32\Info.hta	RapeD.exe

pid	process
1788	vssadmin.exe
1264	vssadmin.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\RapeD.exe
"C:\Users\Admin\AppData\Local\Temp\RapeD.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Adds Run entry to start application
- Drops file in System32 directory
PID:1032

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:916

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1768

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1788

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2036

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1088

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1264

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Suspicious use of SetWindowsHookEx
- Modifies Internet Explorer settings
PID:1464

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:1780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1820

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Download Submit
memory/1464-10-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads