Analysis
-
max time kernel
150s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-01-2021 01:37
Static task
static1
Behavioral task
behavioral1
Sample
payload.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
payload.exe
Resource
win10v20201028
General
-
Target
payload.exe
-
Size
92KB
-
MD5
2db20e2fcd86d00388915088b18f99f2
-
SHA1
3a321bf3980d08fe5754548f5aba7f1bdc967f10
-
SHA256
40a837f93edb2531fe35733d725efb490c7b5199d031a6e087b5041aed6eea05
-
SHA512
b9c179e2b5b82fa59018194e8ee8bb927dfd545c72772de6c98621a071650efa345e9bee0282caac95ccccce1371e440295f61a981d447d5ef699fd81e3d1450
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
novclub@cock.li
novclub@protonmail.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
payload.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RestartProtect.tiff payload.exe -
Drops startup file 5 IoCs
Processes:
payload.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5523BBAF.[novclub@cock.li].ROGER payload.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
payload.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payload.exe = "C:\\Windows\\System32\\payload.exe" payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" payload.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
payload.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini payload.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini payload.exe File opened for modification C:\Program Files\desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1AZJ0WQ\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini payload.exe File opened for modification C:\Users\Public\Libraries\desktop.ini payload.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini payload.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini payload.exe File opened for modification C:\Users\Admin\Searches\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXBH52U7\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini payload.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini payload.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini payload.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini payload.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini payload.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini payload.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini payload.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini payload.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini payload.exe File opened for modification C:\Users\Public\Videos\desktop.ini payload.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini payload.exe File opened for modification C:\Users\Admin\Videos\desktop.ini payload.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini payload.exe File opened for modification C:\Users\Public\Documents\desktop.ini payload.exe File opened for modification C:\Users\Public\Pictures\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini payload.exe File opened for modification C:\Users\Public\Downloads\desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D08RECS3\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini payload.exe File opened for modification C:\Users\Admin\Links\desktop.ini payload.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini payload.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini payload.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RKGIF8TT\desktop.ini payload.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini payload.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini payload.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini payload.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini payload.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini payload.exe File opened for modification C:\Users\Admin\Music\desktop.ini payload.exe File opened for modification C:\Program Files (x86)\desktop.ini payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI payload.exe -
Drops file in System32 directory 2 IoCs
Processes:
payload.exedescription ioc process File created C:\Windows\System32\payload.exe payload.exe File created C:\Windows\System32\Info.hta payload.exe -
Drops file in Program Files directory 64 IoCs
Processes:
payload.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rll payload.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MSOHEV.DLL.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR19F.GIF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185818.WMF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip payload.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01866_.WMF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libwebvtt_plugin.dll.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18213_.WMF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115867.GIF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46F.GIF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe payload.exe File created C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115855.GIF payload.exe File created C:\Program Files\Java\jre7\bin\javafx-iio.dll.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02407_.WMF payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF payload.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSO.ACL.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\Whistling.wav payload.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montevideo payload.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml payload.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Christmas payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar payload.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.ELM.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\BUTTON.GIF payload.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01563_.WMF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0229389.WMF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMWIN.FAE.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll payload.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Melbourne.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00938_.WMF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14539_.GIF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.INF.id-5523BBAF.[novclub@cock.li].ROGER payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1668 vssadmin.exe 656 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
payload.exepid process 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe 1632 payload.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1096 vssvc.exe Token: SeRestorePrivilege 1096 vssvc.exe Token: SeAuditPrivilege 1096 vssvc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
payload.execmd.execmd.exedescription pid process target process PID 1632 wrote to memory of 1496 1632 payload.exe cmd.exe PID 1632 wrote to memory of 1496 1632 payload.exe cmd.exe PID 1632 wrote to memory of 1496 1632 payload.exe cmd.exe PID 1632 wrote to memory of 1496 1632 payload.exe cmd.exe PID 1496 wrote to memory of 1232 1496 cmd.exe mode.com PID 1496 wrote to memory of 1232 1496 cmd.exe mode.com PID 1496 wrote to memory of 1232 1496 cmd.exe mode.com PID 1496 wrote to memory of 1668 1496 cmd.exe vssadmin.exe PID 1496 wrote to memory of 1668 1496 cmd.exe vssadmin.exe PID 1496 wrote to memory of 1668 1496 cmd.exe vssadmin.exe PID 1632 wrote to memory of 1432 1632 payload.exe cmd.exe PID 1632 wrote to memory of 1432 1632 payload.exe cmd.exe PID 1632 wrote to memory of 1432 1632 payload.exe cmd.exe PID 1632 wrote to memory of 1432 1632 payload.exe cmd.exe PID 1432 wrote to memory of 1068 1432 cmd.exe mode.com PID 1432 wrote to memory of 1068 1432 cmd.exe mode.com PID 1432 wrote to memory of 1068 1432 cmd.exe mode.com PID 1432 wrote to memory of 656 1432 cmd.exe vssadmin.exe PID 1432 wrote to memory of 656 1432 cmd.exe vssadmin.exe PID 1432 wrote to memory of 656 1432 cmd.exe vssadmin.exe PID 1632 wrote to memory of 1592 1632 payload.exe mshta.exe PID 1632 wrote to memory of 1592 1632 payload.exe mshta.exe PID 1632 wrote to memory of 1592 1632 payload.exe mshta.exe PID 1632 wrote to memory of 1592 1632 payload.exe mshta.exe PID 1632 wrote to memory of 1692 1632 payload.exe mshta.exe PID 1632 wrote to memory of 1692 1632 payload.exe mshta.exe PID 1632 wrote to memory of 1692 1632 payload.exe mshta.exe PID 1632 wrote to memory of 1692 1632 payload.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.exe"C:\Users\Admin\AppData\Local\Temp\payload.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
5c4ef5af8e000509289c4b3d14d5f18f
SHA1827752d0d457280762ae3f2537b90b7d42759dc1
SHA2564ab3493fdb7fd1880b8a3da5613d4a380ea2865ada9651a4856722b1bd5f7f61
SHA512e81d8c66ab4db38eac7be9e774656c9f741a9282b27cad4d8cb360526bdcc96a9c0d4f03b1a79d2c3942939222a84ded05212850108ffff225b648a108d13af6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
5c4ef5af8e000509289c4b3d14d5f18f
SHA1827752d0d457280762ae3f2537b90b7d42759dc1
SHA2564ab3493fdb7fd1880b8a3da5613d4a380ea2865ada9651a4856722b1bd5f7f61
SHA512e81d8c66ab4db38eac7be9e774656c9f741a9282b27cad4d8cb360526bdcc96a9c0d4f03b1a79d2c3942939222a84ded05212850108ffff225b648a108d13af6
-
memory/656-8-0x0000000000000000-mapping.dmp
-
memory/1068-7-0x0000000000000000-mapping.dmp
-
memory/1232-4-0x0000000000000000-mapping.dmp
-
memory/1432-6-0x0000000000000000-mapping.dmp
-
memory/1496-3-0x0000000000000000-mapping.dmp
-
memory/1592-9-0x0000000000000000-mapping.dmp
-
memory/1632-2-0x0000000076341000-0x0000000076343000-memory.dmpFilesize
8KB
-
memory/1668-5-0x0000000000000000-mapping.dmp
-
memory/1692-10-0x0000000000000000-mapping.dmp
-
memory/1988-13-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmpFilesize
2.5MB