Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:45
Static task
static1
Behavioral task
behavioral1
Sample
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe
Resource
win10v20201028
General
-
Target
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe
-
Size
243KB
-
MD5
f3c11989987acee8b271f571cdc7757c
-
SHA1
50a191d53bc397ce08af356a224135488ed23619
-
SHA256
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7
-
SHA512
27e9690090d4d928140b0c6b34205371bd2c8cce8423308fff0fdbd1ebfec9b4b50538a226de73145598aa4f7d9153db67a21cebed00808466cf2a93b697a119
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
regasm.exepid process 1756 regasm.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
regasm.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\MoveFind.tiff regasm.exe File opened for modification C:\Users\Admin\Pictures\WatchUninstall.tiff regasm.exe -
Deletes itself 1 IoCs
Processes:
regasm.exepid process 1756 regasm.exe -
Drops startup file 5 IoCs
Processes:
regasm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regasm.exe regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta regasm.exe -
Loads dropped DLL 2 IoCs
Processes:
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exeregasm.exepid process 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe 1756 regasm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
regasm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" regasm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regasm.exe = "C:\\Windows\\System32\\regasm.exe" regasm.exe -
Drops desktop.ini file(s) 77 IoCs
Processes:
regasm.exedescription ioc process File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini regasm.exe File opened for modification C:\Users\Public\Desktop\desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLQ59KOM\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini regasm.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini regasm.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E1R8L62F\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SS7I88SX\desktop.ini regasm.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini regasm.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini regasm.exe File opened for modification C:\Users\Public\desktop.ini regasm.exe File opened for modification C:\Users\Public\Downloads\desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2BO6MI1N\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini regasm.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini regasm.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini regasm.exe File opened for modification C:\Users\Admin\Music\desktop.ini regasm.exe File opened for modification C:\Users\Public\Music\desktop.ini regasm.exe File opened for modification C:\Users\Admin\Videos\desktop.ini regasm.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini regasm.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini regasm.exe File opened for modification C:\Users\Public\Videos\desktop.ini regasm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XHJ74TZW\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini regasm.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5JH7AFHU\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini regasm.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini regasm.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini regasm.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini regasm.exe File opened for modification C:\Program Files\desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini regasm.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini regasm.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini regasm.exe File opened for modification C:\Users\Public\Libraries\desktop.ini regasm.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini regasm.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini regasm.exe File opened for modification C:\Users\Admin\Searches\desktop.ini regasm.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini regasm.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini regasm.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini regasm.exe File opened for modification C:\Users\Public\Pictures\desktop.ini regasm.exe -
Drops file in System32 directory 2 IoCs
Processes:
regasm.exedescription ioc process File created C:\Windows\System32\regasm.exe regasm.exe File created C:\Windows\System32\Info.hta regasm.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exedescription pid process target process PID 1632 set thread context of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe -
Drops file in Program Files directory 27848 IoCs
Processes:
regasm.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\ca.txt regasm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0251007.WMF.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_fr.dub regasm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XPAGE3C.DLL regasm.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15275_.GIF.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Response.css regasm.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR34F.GIF.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanReport.Dotx.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF regasm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar regasm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GRINTL32.DLL.IDX_DLL.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00120_.GIF regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00608_.WMF.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Adjacency.thmx.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files\Microsoft Office\Office14\VISSHE.DLL.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL022.XML.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCallbacks.h.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\gfserrorfromgroove.ico.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png regasm.exe File created C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\ml.pak.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files\Windows Defender\MpCommu.dll regasm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tabs.accdt.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099177.WMF.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_ON.GIF regasm.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\OISINTL.DLL.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.DPV.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195772.WMF.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00531_.WMF regasm.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15035_.GIF.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid.gif.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00898_.WMF.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.DPV.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR10F.GIF regasm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png regasm.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107502.WMF.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml regasm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN065.XML regasm.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\CIEXYZ.pf.id-D567C150.[[email protected]].ncov regasm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe.id-D567C150.[[email protected]].ncov regasm.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar.id-D567C150.[[email protected]].ncov regasm.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1964 vssadmin.exe 820 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 138 IoCs
Processes:
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exeregasm.exepid process 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe 1756 regasm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exevssvc.exedescription pid process Token: SeDebugPrivilege 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe Token: SeBackupPrivilege 920 vssvc.exe Token: SeRestorePrivilege 920 vssvc.exe Token: SeAuditPrivilege 920 vssvc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exeregasm.execmd.execmd.exedescription pid process target process PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1632 wrote to memory of 1756 1632 65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe regasm.exe PID 1756 wrote to memory of 1460 1756 regasm.exe cmd.exe PID 1756 wrote to memory of 1460 1756 regasm.exe cmd.exe PID 1756 wrote to memory of 1460 1756 regasm.exe cmd.exe PID 1756 wrote to memory of 1460 1756 regasm.exe cmd.exe PID 1460 wrote to memory of 1972 1460 cmd.exe mode.com PID 1460 wrote to memory of 1972 1460 cmd.exe mode.com PID 1460 wrote to memory of 1972 1460 cmd.exe mode.com PID 1460 wrote to memory of 1964 1460 cmd.exe vssadmin.exe PID 1460 wrote to memory of 1964 1460 cmd.exe vssadmin.exe PID 1460 wrote to memory of 1964 1460 cmd.exe vssadmin.exe PID 1756 wrote to memory of 1516 1756 regasm.exe cmd.exe PID 1756 wrote to memory of 1516 1756 regasm.exe cmd.exe PID 1756 wrote to memory of 1516 1756 regasm.exe cmd.exe PID 1756 wrote to memory of 1516 1756 regasm.exe cmd.exe PID 1516 wrote to memory of 1616 1516 cmd.exe mode.com PID 1516 wrote to memory of 1616 1516 cmd.exe mode.com PID 1516 wrote to memory of 1616 1516 cmd.exe mode.com PID 1516 wrote to memory of 820 1516 cmd.exe vssadmin.exe PID 1516 wrote to memory of 820 1516 cmd.exe vssadmin.exe PID 1516 wrote to memory of 820 1516 cmd.exe vssadmin.exe PID 1756 wrote to memory of 1648 1756 regasm.exe mshta.exe PID 1756 wrote to memory of 1648 1756 regasm.exe mshta.exe PID 1756 wrote to memory of 1648 1756 regasm.exe mshta.exe PID 1756 wrote to memory of 1648 1756 regasm.exe mshta.exe PID 1756 wrote to memory of 1720 1756 regasm.exe mshta.exe PID 1756 wrote to memory of 1720 1756 regasm.exe mshta.exe PID 1756 wrote to memory of 1720 1756 regasm.exe mshta.exe PID 1756 wrote to memory of 1720 1756 regasm.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe"C:\Users\Admin\AppData\Local\Temp\65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\regasm.exe"C:\Users\Admin\AppData\Local\Temp\regasm.exe"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
1cd9f2072f516d34f6316d209a1cafa5
SHA168d987a6cbd224cc0fa6dd5d2c1a900cba29ec70
SHA2569482da3700c426037e61c40b58e1cdd0a86fa74b3ace29e312259151dbe1b03e
SHA512c7b79aefa66efc380aca6a3a305846f393b0f9e83eceb9701ae461bfa61129351d7f6ab720d4ef571cac1235a43f3a4a6d1563b7090d47804ad3c344742bc194
-
C:\Users\Admin\AppData\Local\Temp\regasm.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
C:\Users\Admin\AppData\Local\Temp\regasm.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
1cd9f2072f516d34f6316d209a1cafa5
SHA168d987a6cbd224cc0fa6dd5d2c1a900cba29ec70
SHA2569482da3700c426037e61c40b58e1cdd0a86fa74b3ace29e312259151dbe1b03e
SHA512c7b79aefa66efc380aca6a3a305846f393b0f9e83eceb9701ae461bfa61129351d7f6ab720d4ef571cac1235a43f3a4a6d1563b7090d47804ad3c344742bc194
-
\Users\Admin\AppData\Local\Temp\regasm.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
\Users\Admin\AppData\Local\Temp\regasm.exeMD5
1f7bccc57d21a4bfeddaafe514cfd74d
SHA14dab09179a12468cb1757cb7ca26e06d616b0a8d
SHA256d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061
SHA5129e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8
-
memory/236-21-0x000007FEF7540000-0x000007FEF77BA000-memory.dmpFilesize
2.5MB
-
memory/820-16-0x0000000000000000-mapping.dmp
-
memory/1460-11-0x0000000000000000-mapping.dmp
-
memory/1516-14-0x0000000000000000-mapping.dmp
-
memory/1616-15-0x0000000000000000-mapping.dmp
-
memory/1632-3-0x0000000000370000-0x000000000038B000-memory.dmpFilesize
108KB
-
memory/1632-0-0x0000000074450000-0x0000000074B3E000-memory.dmpFilesize
6.9MB
-
memory/1632-1-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/1648-36-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmpFilesize
64KB
-
memory/1648-17-0x0000000000000000-mapping.dmp
-
memory/1720-37-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmpFilesize
64KB
-
memory/1720-18-0x0000000000000000-mapping.dmp
-
memory/1756-5-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1756-8-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1756-6-0x000000000040A9D0-mapping.dmp
-
memory/1964-13-0x0000000000000000-mapping.dmp
-
memory/1972-12-0x0000000000000000-mapping.dmp