dharma | ea387065ba5b3f661d15cc0713a838c611afd1052925eb458dfcdb4ab893a1f6

General

Target

winhost.exe
Size

92KB
MD5

1935185051c225c096396bffbd7b5a34
SHA1

bc5891815b66d7adf44c9dbb56d7170d7304bdff
SHA256

ea387065ba5b3f661d15cc0713a838c611afd1052925eb458dfcdb4ab893a1f6
SHA512

564ad1f26b83d76cd34cf35c0bbf988f635d89ad97f103a68bae576cd155415495ce069ef8451b04710448afb1855f7aff60cfb22b51e334b3c2426e661f193d

Score

10^/10

dharma xmrig miner persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

!!!YOUR FILES ARE ENCRYPTED!!! 1100110 1101001 1101100 1100101 Don't worry,you can return all your files! If you want to restore them, write to the mail: bad_dev@tuta.io YOUR ID bad.dev@onionmail.org !ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

bad_dev@tuta.io

bad.dev@onionmail.org

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops startup file 5 IoCs

Processes:

winhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe"	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	winhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	winhost.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

winhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	winhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	winhost.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	winhost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	winhost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	winhost.exe
File opened for modification	C:\Program Files\desktop.ini	winhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	winhost.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	winhost.exe

Drops file in System32 directory 2 IoCs

Processes:

winhost.exe

description ioc process

File created C:\Windows\System32\Info.hta winhost.exe
File created C:\Windows\System32\winhost.exe winhost.exe

description	ioc	process
File created	C:\Windows\System32\Info.hta	winhost.exe
File created	C:\Windows\System32\winhost.exe	winhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

winhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\blacklisted.certs.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-48.png	winhost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\splash.gif.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java_crw_demo.dll	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Klondike\Goal_1.jpg	winhost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll	winhost.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_mp4_plugin.dll.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat	winhost.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\yawning.png	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\in_60x42.png	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-400.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\ui-strings.js.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\vccorlib140.dll	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libdcp_plugin.dll.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\offsym.ttf	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_12h.png	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated_contrast-white.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_closereview_18.svg.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-xstate-l2-1-0.dll	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme-2x.png	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\MusicStoreLogo.scale-125.png	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Google.scale-250.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lt_get.svg	winhost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\adc_logo.png.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\Example2.Diagnostics.Tests.ps1	winhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.Sequence.dll	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\PREVIEW.GIF	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-125.png	winhost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-200.png	winhost.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageLargeTile.scale-100.png	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFSHARED.DLL	winhost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml	winhost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\npt.dll.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Perfect\ribbon.png	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	winhost.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	winhost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png	winhost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms	winhost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\cg_16x11.png	winhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\ui-strings.js.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar.id-BF4262C7.[bad_dev@tuta.io].bdev	winhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

3240 vssadmin.exe
2724 vssadmin.exe

pid	process
3240	vssadmin.exe
2724	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winhost.exe

pid	process
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe
4660	winhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 3832 vssvc.exe
Token: SeRestorePrivilege 3832 vssvc.exe
Token: SeAuditPrivilege 3832 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	3832	vssvc.exe
Token: SeRestorePrivilege	3832	vssvc.exe
Token: SeAuditPrivilege	3832	vssvc.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

winhost.execmd.execmd.exe

description	pid	process	target process
PID 4660 wrote to memory of 1340	4660	winhost.exe	cmd.exe
PID 4660 wrote to memory of 1340	4660	winhost.exe	cmd.exe
PID 1340 wrote to memory of 4212	1340	cmd.exe	mode.com
PID 1340 wrote to memory of 4212	1340	cmd.exe	mode.com
PID 1340 wrote to memory of 3240	1340	cmd.exe	vssadmin.exe
PID 1340 wrote to memory of 3240	1340	cmd.exe	vssadmin.exe
PID 4660 wrote to memory of 1508	4660	winhost.exe	cmd.exe
PID 4660 wrote to memory of 1508	4660	winhost.exe	cmd.exe
PID 1508 wrote to memory of 2620	1508	cmd.exe	mode.com
PID 1508 wrote to memory of 2620	1508	cmd.exe	mode.com
PID 1508 wrote to memory of 2724	1508	cmd.exe	vssadmin.exe
PID 1508 wrote to memory of 2724	1508	cmd.exe	vssadmin.exe
PID 4660 wrote to memory of 3228	4660	winhost.exe	mshta.exe
PID 4660 wrote to memory of 3228	4660	winhost.exe	mshta.exe
PID 4660 wrote to memory of 3852	4660	winhost.exe	mshta.exe
PID 4660 wrote to memory of 3852	4660	winhost.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\winhost.exe
"C:\Users\Admin\AppData\Local\Temp\winhost.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:4212

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3240

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2620

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2724

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:3228

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:3852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3832

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
24442b160426643acfaf7bd4c91873db

SHA1
a0e3d4d926a3b6eaadc4344b581dfe84b2472337

SHA256
6e94cdc8393f23f7c72ba2ac97011c20f553a1d13504aaef7247b4b85436b690

SHA512
26231b5603a37be5a1af43d6b3ae354ec435cb768ad1d95c0b37a13e693f10705d455880db775a25b4f9c140abf22be44d86c3d746f80163c7d33813d5d8a7e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
24442b160426643acfaf7bd4c91873db

SHA1
a0e3d4d926a3b6eaadc4344b581dfe84b2472337

SHA256
6e94cdc8393f23f7c72ba2ac97011c20f553a1d13504aaef7247b4b85436b690

SHA512
26231b5603a37be5a1af43d6b3ae354ec435cb768ad1d95c0b37a13e693f10705d455880db775a25b4f9c140abf22be44d86c3d746f80163c7d33813d5d8a7e8

Download Submit
memory/1340-114-0x0000000000000000-mapping.dmp

Download
memory/1508-117-0x0000000000000000-mapping.dmp

Download
memory/2620-118-0x0000000000000000-mapping.dmp

Download
memory/2724-119-0x0000000000000000-mapping.dmp

Download
memory/3228-120-0x0000000000000000-mapping.dmp

Download
memory/3240-116-0x0000000000000000-mapping.dmp

Download
memory/3852-121-0x0000000000000000-mapping.dmp

Download
memory/4212-115-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads