dharma | fbbe5adbf18c37ddee49aec819a48eedd7d6c329ec0d1eab71905d5fed08ba7d

General

Target

winhost.exe
Size

92KB
MD5

37a1431c3ed1ad5264b8964b929ee919
SHA1

fa26065771340320edea37b00c9453c51f66c6b3
SHA256

fbbe5adbf18c37ddee49aec819a48eedd7d6c329ec0d1eab71905d5fed08ba7d
SHA512

86420527eb5c8d7f53711159e426702c85fb54c5bc5d777ba3852602ee907cd7631e92d8784369011ccf956a427c43c0f2260ada6b2e82dcfe76edf2a2a374bc

Score

10^/10

ransomware dharma persistence spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Ransom Note

all your data has been locked us You want to return? write email [email protected] or [email protected]

Emails

[email protected]

Signatures

Adds Run entry to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe"	winhost.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1532 vssadmin.exe
1916 vssadmin.exe

pid	process
1532	vssadmin.exe
1916	vssadmin.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

winhost.execmd.execmd.exe

description	pid	process	target process
PID 824 wrote to memory of 1296	824	winhost.exe	cmd.exe
PID 824 wrote to memory of 1296	824	winhost.exe	cmd.exe
PID 824 wrote to memory of 1296	824	winhost.exe	cmd.exe
PID 824 wrote to memory of 1296	824	winhost.exe	cmd.exe
PID 1296 wrote to memory of 1048	1296	cmd.exe	mode.com
PID 1296 wrote to memory of 1048	1296	cmd.exe	mode.com
PID 1296 wrote to memory of 1048	1296	cmd.exe	mode.com
PID 1296 wrote to memory of 1532	1296	cmd.exe	vssadmin.exe
PID 1296 wrote to memory of 1532	1296	cmd.exe	vssadmin.exe
PID 1296 wrote to memory of 1532	1296	cmd.exe	vssadmin.exe
PID 824 wrote to memory of 1552	824	winhost.exe	cmd.exe
PID 824 wrote to memory of 1552	824	winhost.exe	cmd.exe
PID 824 wrote to memory of 1552	824	winhost.exe	cmd.exe
PID 824 wrote to memory of 1552	824	winhost.exe	cmd.exe
PID 1552 wrote to memory of 1952	1552	cmd.exe	mode.com
PID 1552 wrote to memory of 1952	1552	cmd.exe	mode.com
PID 1552 wrote to memory of 1952	1552	cmd.exe	mode.com
PID 1552 wrote to memory of 1916	1552	cmd.exe	vssadmin.exe
PID 1552 wrote to memory of 1916	1552	cmd.exe	vssadmin.exe
PID 1552 wrote to memory of 1916	1552	cmd.exe	vssadmin.exe
PID 824 wrote to memory of 1980	824	winhost.exe	mshta.exe
PID 824 wrote to memory of 1980	824	winhost.exe	mshta.exe
PID 824 wrote to memory of 1980	824	winhost.exe	mshta.exe
PID 824 wrote to memory of 1980	824	winhost.exe	mshta.exe
PID 824 wrote to memory of 1960	824	winhost.exe	mshta.exe
PID 824 wrote to memory of 1960	824	winhost.exe	mshta.exe
PID 824 wrote to memory of 1960	824	winhost.exe	mshta.exe
PID 824 wrote to memory of 1960	824	winhost.exe	mshta.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops startup file 5 IoCs

Processes:

winhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	winhost.exe

Drops file in Program Files directory 27835 IoCs

Processes:

winhost.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_th.dll.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Internet Explorer\ie9props.propdesc	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BL00195_.WMF	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUB6INTL.DLL.IDX_DLL	winhost.exe
File created	C:\Program Files\Microsoft Office\Templates\1033\Access\Faculty.accdt.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0153305.WMF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Checkers.api.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Search5.api.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0239973.WMF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099204.WMF	winhost.exe
File created	C:\Program Files\Microsoft Office\Office14\PROOF\MSSP7EN.dub.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeLinguistic.dll.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	winhost.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0200289.WMF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14868_.GIF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME28.CSS.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Araguaina	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\FORMS\1033\IPML.ICO	winhost.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-attach.jar.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0152606.WMF	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\IRIS\IRIS.ELM	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01015_.WMF	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00486_.WMF	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\St_Johns	winhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\goopdateres_fr.dll.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	winhost.exe
File opened for modification	C:\Program Files\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.SqlServerCe.dll	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll	winhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_down.png	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107130.WMF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\Sounds\Places\WARN.WAV.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png	winhost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcf.dll	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\awt.dll.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\THEMES14\AXIS\PREVIEW.GIF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NPSPWRAP.DLL	winhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD00437_.WMF	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK.id-1D9C8C54.[[email protected]].smpl	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14754_.GIF.id-1D9C8C54.[[email protected]].smpl	winhost.exe

Drops desktop.ini file(s) 77 IoCs

Processes:

winhost.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZMLBLRQ7\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	winhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OLSU73OI\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V8SX06NR\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RBDIK06K\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1MJ70CPH\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	winhost.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GVV7BJHB\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\desktop.ini	winhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	winhost.exe

Suspicious behavior: EnumeratesProcesses 289 IoCs

Processes:

winhost.exe

pid	process
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe
824	winhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1700 vssvc.exe
Token: SeRestorePrivilege 1700 vssvc.exe
Token: SeAuditPrivilege 1700 vssvc.exe
Drops file in System32 directory 2 IoCs

Processes:

winhost.exe

description ioc process

File created C:\Windows\System32\winhost.exe winhost.exe
File created C:\Windows\System32\Info.hta winhost.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

mshta.exe

pid process

1960 mshta.exe
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

description	pid	process
Token: SeBackupPrivilege	1700	vssvc.exe
Token: SeRestorePrivilege	1700	vssvc.exe
Token: SeAuditPrivilege	1700	vssvc.exe

description	ioc	process
File created	C:\Windows\System32\winhost.exe	winhost.exe
File created	C:\Windows\System32\Info.hta	winhost.exe

pid	process
1960	mshta.exe

C:\Users\Admin\AppData\Local\Temp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\winhost.exe"
1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Drops startup file
- Drops file in Program Files directory
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:824
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:1048
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1532
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:1952
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1916
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  PID:1980
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\FILES ENCRYPTED.txt
1⤵
PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Download Submit
memory/1048-1-0x0000000000000000-mapping.dmp

Download
memory/1296-0-0x0000000000000000-mapping.dmp

Download
memory/1532-2-0x0000000000000000-mapping.dmp

Download
memory/1552-3-0x0000000000000000-mapping.dmp

Download
memory/1916-5-0x0000000000000000-mapping.dmp

Download
memory/1952-4-0x0000000000000000-mapping.dmp

Download
memory/1960-7-0x0000000000000000-mapping.dmp

Download
memory/1980-6-0x0000000000000000-mapping.dmp

Download
memory/1980-22-0x0000000005FB0000-0x0000000005FD3000-memory.dmp

Filesize
140KB

Download
memory/1980-23-0x00000000046B0000-0x00000000046BB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads