dharma | 553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb

General

Target

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
Size

92KB
MD5

40d778624057e93cb98a8ff89d74baeb
SHA1

c5ed829367c08aa36597e77c20f1ae1b8020f0e2
SHA256

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb
SHA512

b9479c0e7d51d2276051eb3f6a58cddca906df7f9edd9405e063be5dac9f91de421508ad53517b71a8ee0820267700d706970dfd0031a49d8dd0b6933a08e469

Score

10^/10

ransomware dharma persistence spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Ransom Note

all your data has been locked us You want to return? write email backdata@qbmail.biz or recowerdata@protonmail.com

Emails

backdata@qbmail.biz

recowerdata@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email backdata@qbmail.biz YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: recowerdata@protonmail.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

backdata@qbmail.biz

recowerdata@protonmail.com

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 1 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\StartProtect.tiff	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

Drops startup file 5 IoCs

Processes:

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe = "C:\\Windows\\System32\\553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe"	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

Drops desktop.ini file(s) 70 IoCs

Processes:

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2066881839-3229799743-3576549721-1000\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Public\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

Drops file in System32 directory 2 IoCs

Processes:

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

description	ioc	process
File created	C:\Windows\System32\553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Windows\System32\Info.hta	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

Drops file in Program Files directory 35207 IoCs

Processes:

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.scale-200.png	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-36_altform-unplated.png	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Interop.MSDASC.dll.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraChart.v11.1.Design.dll.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libinflate_plugin.dll.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_zh_CN.jar.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\mrt100_app.dll	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\dot.cur.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado15.dll	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.3_1.3.23901.0_x86__8wekyb3d8bbwe\logo.png	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Models.dll.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jli.dll.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\config.js	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\vlc.mo	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\WalletSquare44x44Logo.targetsize-24_altform-unplated.png	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview_selected.svg.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-pl.xrm-ms	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_2x.png.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\ui-strings.js.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1665.dll.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\micaut.dll.mui	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-disabled.svg.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon_2x.png.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.dll	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_zh_CN.jar.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-30_altform-unplated.png	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\ui-strings.js.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\illustrations_retina.png.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\invalid32x32.gif.id-C3BCF8C6.[backdata@qbmail.biz].back	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-64_altform-unplated.png	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

3948 vssadmin.exe
3248 vssadmin.exe

pid	process
3948	vssadmin.exe
3248	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 548 IoCs

Processes:

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

pid	process
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1360 vssvc.exe
Token: SeRestorePrivilege 1360 vssvc.exe
Token: SeAuditPrivilege 1360 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1360	vssvc.exe
Token: SeRestorePrivilege	1360	vssvc.exe
Token: SeAuditPrivilege	1360	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.execmd.execmd.exe

description	pid	process	target process
PID 3836 wrote to memory of 2084	3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	cmd.exe
PID 3836 wrote to memory of 2084	3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	cmd.exe
PID 2084 wrote to memory of 2852	2084	cmd.exe	mode.com
PID 2084 wrote to memory of 2852	2084	cmd.exe	mode.com
PID 2084 wrote to memory of 3948	2084	cmd.exe	vssadmin.exe
PID 2084 wrote to memory of 3948	2084	cmd.exe	vssadmin.exe
PID 3836 wrote to memory of 2664	3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	cmd.exe
PID 3836 wrote to memory of 2664	3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	cmd.exe
PID 2664 wrote to memory of 3628	2664	cmd.exe	mode.com
PID 2664 wrote to memory of 3628	2664	cmd.exe	mode.com
PID 3836 wrote to memory of 740	3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	mshta.exe
PID 3836 wrote to memory of 740	3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	mshta.exe
PID 2664 wrote to memory of 3248	2664	cmd.exe	vssadmin.exe
PID 2664 wrote to memory of 3248	2664	cmd.exe	vssadmin.exe
PID 3836 wrote to memory of 1172	3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	mshta.exe
PID 3836 wrote to memory of 1172	3836	553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe
"C:\Users\Admin\AppData\Local\Temp\553f674770840d592fd718f1cb8eed6d4210c7ce73944fb2d200e8588584fccb.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2852

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3948

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:3628

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3248

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:740

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:1172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1360

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Download Submit
memory/740-49-0x0000000000000000-mapping.dmp

Download
memory/1172-51-0x0000000000000000-mapping.dmp

Download
memory/2084-0-0x0000000000000000-mapping.dmp

Download
memory/2664-46-0x0000000000000000-mapping.dmp

Download
memory/2852-1-0x0000000000000000-mapping.dmp

Download
memory/3248-50-0x0000000000000000-mapping.dmp

Download
memory/3628-48-0x0000000000000000-mapping.dmp

Download
memory/3948-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads