Analysis
-
max time kernel
151s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
26-06-2020 03:21
Static task
static1
Behavioral task
behavioral1
Sample
fss.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
fss.exe
Resource
win10
General
-
Target
fss.exe
-
Size
92KB
-
MD5
23225afa88a61b262ee6bfe8a0b0b9bb
-
SHA1
a360d8a90f35299dd37232ed9a1b7ac284e06e32
-
SHA256
a49742e72ca26d37e26962ba7f2d929b87ddb6ce07f3304f78e9af499b226281
-
SHA512
470898ca49f36928625d34878b9362193fa4a1051ef4a0e001dc325f71700d22366d66f781290930a9dcbc75d33b939e676342e7be5d95ee5c5bbefe9c92bf6d
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fss.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SuspendInstall.tiff fss.exe File opened for modification C:\Users\Admin\Pictures\ConfirmRead.tiff fss.exe -
Drops startup file 5 IoCs
Processes:
fss.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fss.exe fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini fss.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-56866557.[[email protected]].credo fss.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta fss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
fss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fss.exe = "C:\\Windows\\System32\\fss.exe" fss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" fss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" fss.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
fss.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini fss.exe File opened for modification C:\Users\Public\Desktop\desktop.ini fss.exe File opened for modification C:\Users\Public\Libraries\desktop.ini fss.exe File opened for modification C:\Program Files (x86)\desktop.ini fss.exe File opened for modification C:\Users\Admin\Searches\desktop.ini fss.exe File opened for modification C:\Users\Public\Documents\desktop.ini fss.exe File opened for modification C:\Users\Public\Music\desktop.ini fss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini fss.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini fss.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini fss.exe File opened for modification C:\Users\Admin\Documents\desktop.ini fss.exe File opened for modification C:\Users\Public\Downloads\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\LUBVL9MG\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1IGGBW8Z\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\557LH6Z9\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OT4YD26O\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini fss.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini fss.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini fss.exe File opened for modification C:\Users\Public\Pictures\desktop.ini fss.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini fss.exe File opened for modification C:\Users\Admin\Links\desktop.ini fss.exe File opened for modification C:\Users\Admin\Music\desktop.ini fss.exe File opened for modification C:\Users\Admin\Videos\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZDAW0I3Y\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XGJ27KX4\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini fss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini fss.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini fss.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini fss.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini fss.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini fss.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-910373003-3952921535-3480519689-1000\desktop.ini fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini fss.exe -
Drops file in System32 directory 2 IoCs
Processes:
fss.exedescription ioc process File created C:\Windows\System32\fss.exe fss.exe File created C:\Windows\System32\Info.hta fss.exe -
Drops file in Program Files directory 64 IoCs
Processes:
fss.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Groove.en-us\SETUP.XML fss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Smart Tag\FDATE.DLL fss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\15x15dot.png fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo fss.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF fss.exe File created C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateHelper.msi.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe fss.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239997.WMF.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdaer.dll fss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\ECHO\ECHO.ELM fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll fss.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD02115_.WMF.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\PUBWIZ\FEZIP.POC fss.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll fss.exe File created C:\Program Files (x86)\Google\Chrome\Application\81.0.4044.129\Locales\id.pak.id-56866557.[[email protected]].credo fss.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\VVIEWRES.DLL.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-crescent_partly-cloudy.png fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\bg_Earthy.gif.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\msaccess.exe.manifest fss.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.id-56866557.[[email protected]].credo fss.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\FORMS\1033\SCDRESNS.ICO.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc fss.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png fss.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF.id-56866557.[[email protected]].credo fss.exe File created C:\Program Files\Java\jre7\bin\jp2native.dll.id-56866557.[[email protected]].credo fss.exe File created C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_ON.GIF.id-56866557.[[email protected]].credo fss.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo fss.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF fss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv fss.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.id-56866557.[[email protected]].credo fss.exe File created C:\Program Files\Microsoft Office\CLIPART\PUB60COR\IN00957_.WMF.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.app_1.3.200.v20130910-1609.jar fss.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\THEMES14\SPRING\PREVIEW.GIF.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\classlist fss.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AN01216_.WMF.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME08.CSS.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml fss.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos fss.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja fss.exe File opened for modification C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18232_.WMF.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\excel.exe.manifest fss.exe File created C:\Program Files\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXT.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt.id-56866557.[[email protected]].credo fss.exe File created C:\Program Files\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\Management.cer.id-56866557.[[email protected]].credo fss.exe File created C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html.id-56866557.[[email protected]].credo fss.exe File created C:\Program Files\VideoLAN\VLC\plugins\control\liboldrc_plugin.dll.id-56866557.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF fss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1832 vssadmin.exe 1988 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fss.exepid process 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe 272 fss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1900 vssvc.exe Token: SeRestorePrivilege 1900 vssvc.exe Token: SeAuditPrivilege 1900 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
mshta.exeNOTEPAD.EXEpid process 1976 mshta.exe 1992 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
fss.execmd.execmd.exedescription pid process target process PID 272 wrote to memory of 824 272 fss.exe cmd.exe PID 272 wrote to memory of 824 272 fss.exe cmd.exe PID 272 wrote to memory of 824 272 fss.exe cmd.exe PID 272 wrote to memory of 824 272 fss.exe cmd.exe PID 824 wrote to memory of 1380 824 cmd.exe mode.com PID 824 wrote to memory of 1380 824 cmd.exe mode.com PID 824 wrote to memory of 1380 824 cmd.exe mode.com PID 824 wrote to memory of 1832 824 cmd.exe vssadmin.exe PID 824 wrote to memory of 1832 824 cmd.exe vssadmin.exe PID 824 wrote to memory of 1832 824 cmd.exe vssadmin.exe PID 272 wrote to memory of 1604 272 fss.exe cmd.exe PID 272 wrote to memory of 1604 272 fss.exe cmd.exe PID 272 wrote to memory of 1604 272 fss.exe cmd.exe PID 272 wrote to memory of 1604 272 fss.exe cmd.exe PID 1604 wrote to memory of 1584 1604 cmd.exe mode.com PID 1604 wrote to memory of 1584 1604 cmd.exe mode.com PID 1604 wrote to memory of 1584 1604 cmd.exe mode.com PID 1604 wrote to memory of 1988 1604 cmd.exe vssadmin.exe PID 1604 wrote to memory of 1988 1604 cmd.exe vssadmin.exe PID 1604 wrote to memory of 1988 1604 cmd.exe vssadmin.exe PID 272 wrote to memory of 2016 272 fss.exe mshta.exe PID 272 wrote to memory of 2016 272 fss.exe mshta.exe PID 272 wrote to memory of 2016 272 fss.exe mshta.exe PID 272 wrote to memory of 2016 272 fss.exe mshta.exe PID 272 wrote to memory of 1976 272 fss.exe mshta.exe PID 272 wrote to memory of 1976 272 fss.exe mshta.exe PID 272 wrote to memory of 1976 272 fss.exe mshta.exe PID 272 wrote to memory of 1976 272 fss.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fss.exe"C:\Users\Admin\AppData\Local\Temp\fss.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
aa7e471745d6bdaa05b9e9eec85f067c
SHA101a6602cf2ae21f074ce5c0765ae3c25e8f11e33
SHA256fba31ecd7cfca77e77ecd32e5651e87965968fc5dd783b34d3348f6384321e42
SHA51273048ddafd6d8d355e254bc313f6b3e0dc129c7665d6b74f1b40485e4bbcb7ee0ee8b4b99b4fdf9102d109d63a0ccac9fca78e567b93cf77d146cf133500d3c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
aa7e471745d6bdaa05b9e9eec85f067c
SHA101a6602cf2ae21f074ce5c0765ae3c25e8f11e33
SHA256fba31ecd7cfca77e77ecd32e5651e87965968fc5dd783b34d3348f6384321e42
SHA51273048ddafd6d8d355e254bc313f6b3e0dc129c7665d6b74f1b40485e4bbcb7ee0ee8b4b99b4fdf9102d109d63a0ccac9fca78e567b93cf77d146cf133500d3c1
-
C:\Users\Admin\Desktop\FILES ENCRYPTED.txtMD5
532e55eaef86283b9da3520522373667
SHA1ed2931d1b2cb67120942dbb0e99879ed4bb4d18a
SHA256421ff49103a11496c0ee49a3ca13446d5343a4facabf3f5cf0eeebe48b737c81
SHA512db4d2f353263a98fa75d831f09b10774cf61b7b2368399109c916a412d8314596f57790412b3d01fc891347c8efe154b39e8ca482f9f791b3187c4c50711928e
-
memory/824-0-0x0000000000000000-mapping.dmp
-
memory/1380-1-0x0000000000000000-mapping.dmp
-
memory/1584-4-0x0000000000000000-mapping.dmp
-
memory/1604-3-0x0000000000000000-mapping.dmp
-
memory/1832-2-0x0000000000000000-mapping.dmp
-
memory/1976-7-0x0000000000000000-mapping.dmp
-
memory/1988-5-0x0000000000000000-mapping.dmp
-
memory/2016-6-0x0000000000000000-mapping.dmp
-
memory/2016-20-0x0000000005A50000-0x0000000005A73000-memory.dmpFilesize
140KB
-
memory/2016-21-0x0000000003F30000-0x0000000003F3B000-memory.dmpFilesize
44KB