Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-04-2021 00:27
Static task
static1
Behavioral task
behavioral1
Sample
winhost.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
winhost.exe
Resource
win10v20210408
General
-
Target
winhost.exe
-
Size
92KB
-
MD5
1935185051c225c096396bffbd7b5a34
-
SHA1
bc5891815b66d7adf44c9dbb56d7170d7304bdff
-
SHA256
ea387065ba5b3f661d15cc0713a838c611afd1052925eb458dfcdb4ab893a1f6
-
SHA512
564ad1f26b83d76cd34cf35c0bbf988f635d89ad97f103a68bae576cd155415495ce069ef8451b04710448afb1855f7aff60cfb22b51e334b3c2426e661f193d
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
bad_dev@tuta.io
bad.dev@onionmail.org
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ResolveOpen.tiff winhost.exe File opened for modification C:\Users\Admin\Pictures\SearchUndo.tiff winhost.exe -
Drops startup file 5 IoCs
Processes:
winhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta winhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
winhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" winhost.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini winhost.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini winhost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AJ1NIV9I\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQE06QBJ\desktop.ini winhost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Links\desktop.ini winhost.exe File opened for modification C:\Program Files (x86)\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Music\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini winhost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\desktop.ini winhost.exe File opened for modification C:\Program Files\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Documents\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SLC8MVWU\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini winhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
winhost.exedescription ioc process File created C:\Windows\System32\winhost.exe winhost.exe File created C:\Windows\System32\Info.hta winhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe winhost.exe File opened for modification C:\Program Files\Java\jre7\bin\JdbcOdbc.dll.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_ON.GIF.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromaprint_plugin.dll.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14515_.GIF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49B.GIF winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_increaseindent.gif.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java_crw_demo.dll winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02464_.WMF winhost.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.ELM.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183172.WMF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00157_.WMF winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\7-Zip\Lang\ta.txt winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115865.GIF.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\Monticello winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\psfontj2d.properties winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FBIBLIO.DLL winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00192_.WMF winhost.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Essential.eftx.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll winhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files\Java\jre7\lib\zi\America\Montevideo.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45B.GIF.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Black Tie.thmx.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt winhost.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\WindowsAccessBridge-64.dll winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04195_.WMF.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\MSOSVINT.DLL.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14530_.GIF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OMML2MML.XSL.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00297_.WMF.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.id-5394F5B0.[bad_dev@tuta.io].bdev winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1244 vssadmin.exe 744 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 908 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winhost.exepid process 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe 792 winhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1444 vssvc.exe Token: SeRestorePrivilege 1444 vssvc.exe Token: SeAuditPrivilege 1444 vssvc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
mshta.exemshta.exeNOTEPAD.EXEpid process 796 mshta.exe 672 mshta.exe 908 NOTEPAD.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
winhost.execmd.execmd.exedescription pid process target process PID 792 wrote to memory of 1160 792 winhost.exe cmd.exe PID 792 wrote to memory of 1160 792 winhost.exe cmd.exe PID 792 wrote to memory of 1160 792 winhost.exe cmd.exe PID 792 wrote to memory of 1160 792 winhost.exe cmd.exe PID 1160 wrote to memory of 840 1160 cmd.exe mode.com PID 1160 wrote to memory of 840 1160 cmd.exe mode.com PID 1160 wrote to memory of 840 1160 cmd.exe mode.com PID 1160 wrote to memory of 1244 1160 cmd.exe vssadmin.exe PID 1160 wrote to memory of 1244 1160 cmd.exe vssadmin.exe PID 1160 wrote to memory of 1244 1160 cmd.exe vssadmin.exe PID 792 wrote to memory of 1480 792 winhost.exe cmd.exe PID 792 wrote to memory of 1480 792 winhost.exe cmd.exe PID 792 wrote to memory of 1480 792 winhost.exe cmd.exe PID 792 wrote to memory of 1480 792 winhost.exe cmd.exe PID 1480 wrote to memory of 1056 1480 cmd.exe mode.com PID 1480 wrote to memory of 1056 1480 cmd.exe mode.com PID 1480 wrote to memory of 1056 1480 cmd.exe mode.com PID 792 wrote to memory of 672 792 winhost.exe mshta.exe PID 792 wrote to memory of 672 792 winhost.exe mshta.exe PID 792 wrote to memory of 672 792 winhost.exe mshta.exe PID 792 wrote to memory of 672 792 winhost.exe mshta.exe PID 1480 wrote to memory of 744 1480 cmd.exe vssadmin.exe PID 1480 wrote to memory of 744 1480 cmd.exe vssadmin.exe PID 1480 wrote to memory of 744 1480 cmd.exe vssadmin.exe PID 792 wrote to memory of 796 792 winhost.exe mshta.exe PID 792 wrote to memory of 796 792 winhost.exe mshta.exe PID 792 wrote to memory of 796 792 winhost.exe mshta.exe PID 792 wrote to memory of 796 792 winhost.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\winhost.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\info.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
4b7e70cc3498980b240c0d3993117663
SHA10a724ca05a592bbadc34b7f2e43efc3f841d4650
SHA2569f60949f0e9ddfab53b1522a071bbd1230d8bec23193e8d5dfa8dbb564d0cb7c
SHA512eb7d254bdce559454cd9e0d341d00771fc45c9695f515923b858e5c5c2aa1afab24be7c588fbebbaad45e591e3964fbebd76ce0c6598001b1b1c4ee3653d8143
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
4b7e70cc3498980b240c0d3993117663
SHA10a724ca05a592bbadc34b7f2e43efc3f841d4650
SHA2569f60949f0e9ddfab53b1522a071bbd1230d8bec23193e8d5dfa8dbb564d0cb7c
SHA512eb7d254bdce559454cd9e0d341d00771fc45c9695f515923b858e5c5c2aa1afab24be7c588fbebbaad45e591e3964fbebd76ce0c6598001b1b1c4ee3653d8143
-
C:\Users\Admin\Desktop\info.txtMD5
e5e64ad464434392263de5df9147c57b
SHA1f4e9bc7639324cf138c4b1a1d9edb6e24d832f39
SHA2560a163498c12aa97812caa844d1a2dceb5e597727d2e283e5efee3d138ef2042c
SHA5125a1531383669fc190be5d2ef3f06a5234ea293435f9b554d8c2bf0830287869877e8328cf2fd1108c5d56ba8e202f99cc0d76ac4d67005763144fce71db4f1b5
-
memory/672-67-0x0000000000000000-mapping.dmp
-
memory/744-66-0x0000000000000000-mapping.dmp
-
memory/792-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/796-69-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmpFilesize
8KB
-
memory/796-68-0x0000000000000000-mapping.dmp
-
memory/840-62-0x0000000000000000-mapping.dmp
-
memory/1056-65-0x0000000000000000-mapping.dmp
-
memory/1160-61-0x0000000000000000-mapping.dmp
-
memory/1244-63-0x0000000000000000-mapping.dmp
-
memory/1480-64-0x0000000000000000-mapping.dmp