Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:49
Static task
static1
Behavioral task
behavioral1
Sample
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe
Resource
win10v20201028
General
-
Target
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe
-
Size
245KB
-
MD5
dca247cda2f20152feb8cf6b410fc093
-
SHA1
c7f9176ed2615364fb02d454918425814d52d4bf
-
SHA256
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3
-
SHA512
91f2b08c409110f74c0a42f3df1f7920a539d2081704878ae573e9111b5f8cc4694611c8d541fc9f1bf913847ca94ef487f8f1333a34507bb3c3cd9fe7623760
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
3441546223@qq.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 1288 tmp.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ExitSet.tiff tmp.exe -
Deletes itself 1 IoCs
Processes:
tmp.exepid process 1288 tmp.exe -
Drops startup file 5 IoCs
Processes:
tmp.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp.exe tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta tmp.exe -
Loads dropped DLL 2 IoCs
Processes:
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exepid process 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp.exe = "C:\\Windows\\System32\\tmp.exe" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" tmp.exe -
Drops desktop.ini file(s) 77 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Users\Admin\Searches\desktop.ini tmp.exe File opened for modification C:\Program Files\desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini tmp.exe File opened for modification C:\Users\Public\desktop.ini tmp.exe File opened for modification C:\Users\Public\Documents\desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F6QQJELO\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Documents\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini tmp.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D08RECS3\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini tmp.exe File opened for modification C:\Users\Public\Downloads\desktop.ini tmp.exe File opened for modification C:\Program Files (x86)\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini tmp.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini tmp.exe File opened for modification C:\Users\Public\Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini tmp.exe File opened for modification C:\Users\Public\Music\desktop.ini tmp.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Music\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini tmp.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1AZJ0WQ\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini tmp.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini tmp.exe File opened for modification C:\Users\Public\Desktop\desktop.ini tmp.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini tmp.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini tmp.exe File opened for modification C:\Users\Admin\Links\desktop.ini tmp.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini tmp.exe -
Drops file in System32 directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Windows\System32\Info.hta tmp.exe File created C:\Windows\System32\tmp.exe tmp.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exedescription pid process target process PID 484 set thread context of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe -
Drops file in Program Files directory 27805 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME28.CSS.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyMergeLetter.dotx tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR44F.GIF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\RSWOP.ICM.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099178.WMF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.contenttype_3.4.200.v20140207-1251.jar.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLAPPT.FAE tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif tmp.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\psuser_64.dll.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01395_.WMF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityMergeLetter.Dotx.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00411_.WMF tmp.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14538_.GIF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_rest.png tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGMAIN.XML.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00564_.WMF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\Mozilla Firefox\libEGL.dll.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo tmp.exe File opened for modification C:\Program Files (x86)\Windows Media Player\WMPDMCCore.dll tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui tmp.exe File created C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14832_.GIF tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Horizon.eftx tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\3082\MSO.ACL.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151041.WMF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03731_.WMF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf tmp.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar tmp.exe File created C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107342.WMF tmp.exe File created C:\Program Files\7-Zip\Lang\it.txt.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232803.WMF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02041_.WMF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF tmp.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montreal.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.XML.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212219.WMF.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml.id-5BBE3585.[3441546223@qq.com].ncov tmp.exe File opened for modification C:\Program Files\VideoLAN\VLC\README.txt tmp.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 340 vssadmin.exe 948 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 166 IoCs
Processes:
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exetmp.exepid process 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe 1288 tmp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exevssvc.exedescription pid process Token: SeDebugPrivilege 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe Token: SeBackupPrivilege 584 vssvc.exe Token: SeRestorePrivilege 584 vssvc.exe Token: SeAuditPrivilege 584 vssvc.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exetmp.execmd.execmd.exedescription pid process target process PID 484 wrote to memory of 1288 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe tmp.exe PID 484 wrote to memory of 1288 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe tmp.exe PID 484 wrote to memory of 1288 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe tmp.exe PID 484 wrote to memory of 1288 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe tmp.exe PID 1288 wrote to memory of 1676 1288 tmp.exe cmd.exe PID 1288 wrote to memory of 1676 1288 tmp.exe cmd.exe PID 1288 wrote to memory of 1676 1288 tmp.exe cmd.exe PID 1288 wrote to memory of 1676 1288 tmp.exe cmd.exe PID 1676 wrote to memory of 1876 1676 cmd.exe mode.com PID 1676 wrote to memory of 1876 1676 cmd.exe mode.com PID 1676 wrote to memory of 1876 1676 cmd.exe mode.com PID 1676 wrote to memory of 340 1676 cmd.exe vssadmin.exe PID 1676 wrote to memory of 340 1676 cmd.exe vssadmin.exe PID 1676 wrote to memory of 340 1676 cmd.exe vssadmin.exe PID 484 wrote to memory of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe PID 484 wrote to memory of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe PID 484 wrote to memory of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe PID 484 wrote to memory of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe PID 484 wrote to memory of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe PID 484 wrote to memory of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe PID 484 wrote to memory of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe PID 484 wrote to memory of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe PID 484 wrote to memory of 1356 484 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe PID 1288 wrote to memory of 1944 1288 tmp.exe cmd.exe PID 1288 wrote to memory of 1944 1288 tmp.exe cmd.exe PID 1288 wrote to memory of 1944 1288 tmp.exe cmd.exe PID 1288 wrote to memory of 1944 1288 tmp.exe cmd.exe PID 1944 wrote to memory of 964 1944 cmd.exe mode.com PID 1944 wrote to memory of 964 1944 cmd.exe mode.com PID 1944 wrote to memory of 964 1944 cmd.exe mode.com PID 1944 wrote to memory of 948 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 948 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 948 1944 cmd.exe vssadmin.exe PID 1288 wrote to memory of 1384 1288 tmp.exe mshta.exe PID 1288 wrote to memory of 1384 1288 tmp.exe mshta.exe PID 1288 wrote to memory of 1384 1288 tmp.exe mshta.exe PID 1288 wrote to memory of 1384 1288 tmp.exe mshta.exe PID 1288 wrote to memory of 1116 1288 tmp.exe mshta.exe PID 1288 wrote to memory of 1116 1288 tmp.exe mshta.exe PID 1288 wrote to memory of 1116 1288 tmp.exe mshta.exe PID 1288 wrote to memory of 1116 1288 tmp.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe"C:\Users\Admin\AppData\Local\Temp\227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Users\Admin\AppData\Local\Temp\227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe"C:/Users/Admin/AppData/Local/Temp/227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
ad91850e2cbb7ec53bf54d20e91f2a79
SHA1f6fb46333a4b8f15b50102facd04f721b9524527
SHA256a46ac7ab40b3b74129e9c8b579923996d92cd22a97c428691a8f239cbed25a70
SHA5125a37159d81f25f6e5daf0fa8ab3f8261f09fc26274e1ab116f29d93aad2fb9e4a6c29682c6d95f9927fad5b4e972e63f45284ddb26e435fb2df21174e27c74a4
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
3dc997b75986d0aa933a2e27455b4530
SHA1b8f49e05a51b6a35da4d7f28c908102f5da5e9b2
SHA2561c75630faa86f75449df605d2878d0e344c905dbcf01f1e4c65a3f52d32901c5
SHA51284a3cb83204ee908e0ec5eb695b95375662a41b6ef1de9bafb220934a7aaedd353f2d2156edad205b128db8c6fdcbee636e13afb7a8d49aa46762a958d067818
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeMD5
c491e17a0ad8a5d2a36151ace5f10cef
SHA10012f5c4d189cd009db0d5ee9e398470185d5e44
SHA2561c2e66bac96bcc34b1681496ddc1d5f3cbeeeb726f0eef1f36323e25a0284871
SHA512245f59f50540e2550a2fde2a7ba17f4b1cac9afcc10c4fb7b0b3758c0dd78fe937f623f3a2399d66ce2e2b796b96a7f20bd544cc24e01b72d5116ee2d2fd6bb5
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeMD5
c491e17a0ad8a5d2a36151ace5f10cef
SHA10012f5c4d189cd009db0d5ee9e398470185d5e44
SHA2561c2e66bac96bcc34b1681496ddc1d5f3cbeeeb726f0eef1f36323e25a0284871
SHA512245f59f50540e2550a2fde2a7ba17f4b1cac9afcc10c4fb7b0b3758c0dd78fe937f623f3a2399d66ce2e2b796b96a7f20bd544cc24e01b72d5116ee2d2fd6bb5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
ad91850e2cbb7ec53bf54d20e91f2a79
SHA1f6fb46333a4b8f15b50102facd04f721b9524527
SHA256a46ac7ab40b3b74129e9c8b579923996d92cd22a97c428691a8f239cbed25a70
SHA5125a37159d81f25f6e5daf0fa8ab3f8261f09fc26274e1ab116f29d93aad2fb9e4a6c29682c6d95f9927fad5b4e972e63f45284ddb26e435fb2df21174e27c74a4
-
\Users\Admin\AppData\Local\Temp\tmp.exeMD5
c491e17a0ad8a5d2a36151ace5f10cef
SHA10012f5c4d189cd009db0d5ee9e398470185d5e44
SHA2561c2e66bac96bcc34b1681496ddc1d5f3cbeeeb726f0eef1f36323e25a0284871
SHA512245f59f50540e2550a2fde2a7ba17f4b1cac9afcc10c4fb7b0b3758c0dd78fe937f623f3a2399d66ce2e2b796b96a7f20bd544cc24e01b72d5116ee2d2fd6bb5
-
\Users\Admin\AppData\Local\Temp\tmp.exeMD5
c491e17a0ad8a5d2a36151ace5f10cef
SHA10012f5c4d189cd009db0d5ee9e398470185d5e44
SHA2561c2e66bac96bcc34b1681496ddc1d5f3cbeeeb726f0eef1f36323e25a0284871
SHA512245f59f50540e2550a2fde2a7ba17f4b1cac9afcc10c4fb7b0b3758c0dd78fe937f623f3a2399d66ce2e2b796b96a7f20bd544cc24e01b72d5116ee2d2fd6bb5
-
memory/340-11-0x0000000000000000-mapping.dmp
-
memory/484-0-0x00000000747A0000-0x0000000074E8E000-memory.dmpFilesize
6.9MB
-
memory/484-3-0x0000000000300000-0x000000000031B000-memory.dmpFilesize
108KB
-
memory/484-1-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/588-23-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB
-
memory/948-18-0x0000000000000000-mapping.dmp
-
memory/964-17-0x0000000000000000-mapping.dmp
-
memory/1116-20-0x0000000000000000-mapping.dmp
-
memory/1288-6-0x0000000000000000-mapping.dmp
-
memory/1356-12-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1356-14-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1356-13-0x000000000040A9D0-mapping.dmp
-
memory/1384-19-0x0000000000000000-mapping.dmp
-
memory/1384-31-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmpFilesize
64KB
-
memory/1676-9-0x0000000000000000-mapping.dmp
-
memory/1876-10-0x0000000000000000-mapping.dmp
-
memory/1944-16-0x0000000000000000-mapping.dmp