dharma | e264b1a0c00bcb0329845d7155bd540dfe3909f8bf72d2572db0f56bdcbb99ed

General

Target

RapeD.exe
Size

92KB
MD5

b709b29f7b84533ad0899a6fb739f0d1
SHA1

9649c54ef995f14f702191c618221331d1058c38
SHA256

e264b1a0c00bcb0329845d7155bd540dfe3909f8bf72d2572db0f56bdcbb99ed
SHA512

d45b583dd5b6fbe6b2360526e94df2d105f4019aef60f8f224a3ef462dd058e4d8de1ddbded8284e05487341760f92e9468cabc15a9d93b38b86cc89bce97fb5

Score

10^/10

persistence spyware ransomware dharma

Malware Config

Signatures

Adds Run entry to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RapeD.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RapeD.exe = "C:\\Windows\\System32\\RapeD.exe"	RapeD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	RapeD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	RapeD.exe

Drops startup file 5 IoCs

Processes:

RapeD.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RapeD.exe	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	RapeD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	RapeD.exe

Drops desktop.ini file(s) 70 IoCs

Processes:

RapeD.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	RapeD.exe
File opened for modification	C:\Program Files\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	RapeD.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	RapeD.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	RapeD.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	RapeD.exe
File opened for modification	C:\Users\Public\desktop.ini	RapeD.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Drops file in Program Files directory 35265 IoCs

Processes:

RapeD.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10911_24x24x32.png	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\4608_32x32x32.png	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7656_24x24x32.png	RapeD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\cross.png	RapeD.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.129\Extensions\external_extensions.json	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-125_kzf8qxf38zg5c\SkypeApp\Assets\delete_12x12.scale-125.png	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\Skype_Call_Hold.m4a	RapeD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Goal_3.jpg	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-phn.xrm-ms.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\doh.png	RapeD.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\splashscreen.dll.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\expression_picker_tab_placeholder.png	RapeD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\ui-strings.js	RapeD.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	RapeD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress_spinner2x.gif.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\LightGray.png	RapeD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\ui-strings.js	RapeD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\cli.luac	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png	RapeD.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\ui-strings.js.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\mask_corners_cardback.png	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-ppd.xrm-ms.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-100.png	RapeD.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\ui-strings.js.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	RapeD.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_TileMediumSquare.scale-100.png	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ng_60x42.png	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-24_altform-unplated.png	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSSOAP30.DLL.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected].[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	RapeD.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\Sybase.xsl.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated.png	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-64_contrast-white.png	RapeD.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster.jpg.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll	RapeD.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\rhp_world_icon_2x.png.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\LobbyTiles\Klondike_bp_809.jpg	RapeD.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.id-5E8A76FE.[[email protected]].harma	RapeD.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_contrast-black.png	RapeD.exe

Suspicious behavior: EnumeratesProcesses 574 IoCs

Processes:

RapeD.exe

pid	process
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe
2116	RapeD.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

RapeD.exe

description	pid	process	target process
PID 2116 wrote to memory of 2452	2116	RapeD.exe	cmd.exe
PID 2116 wrote to memory of 2452	2116	RapeD.exe	cmd.exe
PID 2116 wrote to memory of 2728	2116	RapeD.exe	cmd.exe
PID 2116 wrote to memory of 2728	2116	RapeD.exe	cmd.exe
PID 2116 wrote to memory of 1792	2116	RapeD.exe	mshta.exe
PID 2116 wrote to memory of 1792	2116	RapeD.exe	mshta.exe
PID 2116 wrote to memory of 1928	2116	RapeD.exe	mshta.exe
PID 2116 wrote to memory of 1928	2116	RapeD.exe	mshta.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3300 vssvc.exe
Token: SeRestorePrivilege 3300 vssvc.exe
Token: SeAuditPrivilege 3300 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3300	vssvc.exe
Token: SeRestorePrivilege	3300	vssvc.exe
Token: SeAuditPrivilege	3300	vssvc.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe

Drops file in System32 directory 2 IoCs

Processes:

RapeD.exe

description ioc process

File created C:\Windows\System32\RapeD.exe RapeD.exe
File created C:\Windows\System32\Info.hta RapeD.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2420 vssadmin.exe
2292 vssadmin.exe

description	ioc	process
File created	C:\Windows\System32\RapeD.exe	RapeD.exe
File created	C:\Windows\System32\Info.hta	RapeD.exe

pid	process
2420	vssadmin.exe
2292	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\RapeD.exe
"C:\Users\Admin\AppData\Local\Temp\RapeD.exe"
1⤵
- Adds Run entry to start application
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:2116

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2452

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:3928

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2420

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2728

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1804

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2292

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:1792

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:1928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads