Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10_x64 -
resource
win10 -
submitted
26-06-2020 03:21
Static task
static1
Behavioral task
behavioral1
Sample
fss.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
fss.exe
Resource
win10
General
-
Target
fss.exe
-
Size
92KB
-
MD5
23225afa88a61b262ee6bfe8a0b0b9bb
-
SHA1
a360d8a90f35299dd37232ed9a1b7ac284e06e32
-
SHA256
a49742e72ca26d37e26962ba7f2d929b87ddb6ce07f3304f78e9af499b226281
-
SHA512
470898ca49f36928625d34878b9362193fa4a1051ef4a0e001dc325f71700d22366d66f781290930a9dcbc75d33b939e676342e7be5d95ee5c5bbefe9c92bf6d
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
fss.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RequestPublish.tiff fss.exe File opened for modification C:\Users\Admin\Pictures\DisableExit.tiff fss.exe -
Drops startup file 5 IoCs
Processes:
fss.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1B36531D.[[email protected]].credo fss.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta fss.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fss.exe fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini fss.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
fss.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fss.exe = "C:\\Windows\\System32\\fss.exe" fss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" fss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" fss.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
fss.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini fss.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini fss.exe File opened for modification C:\Users\Admin\Searches\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini fss.exe File opened for modification C:\Users\Public\Music\desktop.ini fss.exe File opened for modification C:\Users\Public\Pictures\desktop.ini fss.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini fss.exe File opened for modification C:\Users\Admin\Links\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini fss.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini fss.exe File opened for modification C:\Users\Public\Desktop\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini fss.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini fss.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini fss.exe File opened for modification C:\Program Files\desktop.ini fss.exe File opened for modification C:\Users\Public\Libraries\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini fss.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini fss.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini fss.exe File opened for modification C:\Program Files (x86)\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini fss.exe File opened for modification C:\Users\Admin\Videos\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini fss.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini fss.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini fss.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini fss.exe File opened for modification C:\Users\Public\desktop.ini fss.exe File opened for modification C:\Users\Public\Documents\desktop.ini fss.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini fss.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini fss.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini fss.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini fss.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini fss.exe File opened for modification C:\Users\Admin\Documents\desktop.ini fss.exe File opened for modification C:\Users\Admin\Music\desktop.ini fss.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini fss.exe -
Drops file in System32 directory 2 IoCs
Processes:
fss.exedescription ioc process File created C:\Windows\System32\fss.exe fss.exe File created C:\Windows\System32\Info.hta fss.exe -
Drops file in Program Files directory 64 IoCs
Processes:
fss.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected-hover.svg.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder-default.svg.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar fss.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\visualvm.conf.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\ui-strings.js fss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\STINTL.DLL.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\ui-strings.js.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-36_altform-unplated_contrast-black.png fss.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\ui-strings.js.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL fss.exe File created C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\ui-strings.js fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-fullcolor.png fss.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-100.png fss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js fss.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.ps1 fss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Microsoft.CameraApp.Shared.Native.winmd fss.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll fss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL fss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSO.FRAMEPROTOCOLWIN32.DLL fss.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar fss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\ui-strings.js fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleSplashScreen.scale-100.png fss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Grace-ppd.xrm-ms.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_Full.aapp fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\fontmanager.dll.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml fss.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay.winmd fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-oob.xrm-ms fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msader15.dll fss.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\ui-strings.js fss.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyDrop32x32.gif fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-16.png fss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\plugin.js.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\176.png fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-64_altform-unplated.png fss.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-200.png fss.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF fss.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-100.png fss.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grouping.Base.dll.id-1B36531D.[[email protected]].credo fss.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\msvcp100.dll.id-1B36531D.[[email protected]].credo fss.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons.png.id-1B36531D.[[email protected]].credo fss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1712 vssadmin.exe 4064 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fss.exepid process 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe 3176 fss.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 3224 vssvc.exe Token: SeRestorePrivilege 3224 vssvc.exe Token: SeAuditPrivilege 3224 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
fss.execmd.execmd.exedescription pid process target process PID 3176 wrote to memory of 4036 3176 fss.exe cmd.exe PID 3176 wrote to memory of 4036 3176 fss.exe cmd.exe PID 4036 wrote to memory of 3596 4036 cmd.exe mode.com PID 4036 wrote to memory of 3596 4036 cmd.exe mode.com PID 4036 wrote to memory of 1712 4036 cmd.exe vssadmin.exe PID 4036 wrote to memory of 1712 4036 cmd.exe vssadmin.exe PID 3176 wrote to memory of 1680 3176 fss.exe cmd.exe PID 3176 wrote to memory of 1680 3176 fss.exe cmd.exe PID 1680 wrote to memory of 1848 1680 cmd.exe mode.com PID 1680 wrote to memory of 1848 1680 cmd.exe mode.com PID 1680 wrote to memory of 4064 1680 cmd.exe vssadmin.exe PID 1680 wrote to memory of 4064 1680 cmd.exe vssadmin.exe PID 3176 wrote to memory of 3748 3176 fss.exe mshta.exe PID 3176 wrote to memory of 3748 3176 fss.exe mshta.exe PID 3176 wrote to memory of 2120 3176 fss.exe mshta.exe PID 3176 wrote to memory of 2120 3176 fss.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fss.exe"C:\Users\Admin\AppData\Local\Temp\fss.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
4babcb36cc767396ed927b3c0ee95935
SHA1108dcf48444807f907f386ab5baa51919a7abc58
SHA2569a363772b14fb16a7601c190dfb5bcd5a614902ef18e086301850fb7baf14819
SHA512000d12d7d34996258a87aa37d3cd68a9f6115480cef1696ac94dd321c00e7d46f355c7dde347942e13b807043a3687cbff9f733f9b2e4da4cbaac831e6abfbd6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
4babcb36cc767396ed927b3c0ee95935
SHA1108dcf48444807f907f386ab5baa51919a7abc58
SHA2569a363772b14fb16a7601c190dfb5bcd5a614902ef18e086301850fb7baf14819
SHA512000d12d7d34996258a87aa37d3cd68a9f6115480cef1696ac94dd321c00e7d46f355c7dde347942e13b807043a3687cbff9f733f9b2e4da4cbaac831e6abfbd6
-
memory/1680-3-0x0000000000000000-mapping.dmp
-
memory/1712-2-0x0000000000000000-mapping.dmp
-
memory/1848-4-0x0000000000000000-mapping.dmp
-
memory/2120-7-0x0000000000000000-mapping.dmp
-
memory/3596-1-0x0000000000000000-mapping.dmp
-
memory/3748-6-0x0000000000000000-mapping.dmp
-
memory/4036-0-0x0000000000000000-mapping.dmp
-
memory/4064-5-0x0000000000000000-mapping.dmp