Analysis
-
max time kernel
151s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 12:05
Static task
static1
Behavioral task
behavioral1
Sample
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe
Resource
win10v20210408
General
-
Target
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe
-
Size
440KB
-
MD5
0bea574db74f33958723ea9a9bd81c11
-
SHA1
8ca2edc10ee3e13c3075baf8450d4d94b220c6e6
-
SHA256
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9
-
SHA512
5f71ca9ae881e59db1638883e42cbbc04b70b4ab1b98ec9632062229cbdcd6196e7889b9d304d10fc684fcbc468bf0a2a60e271c785fbeee2ebca7a2947f0272
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
datadecrypt@qq.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 5 IoCs
Processes:
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe = "C:\\Windows\\System32\\d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe" d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SLC8MVWU\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQE06QBJ\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Documents\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\Desktop\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\Music\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Music\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\Downloads\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2MTLR0RV\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\Documents\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\Libraries\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\Videos\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Admin\Videos\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe -
Drops file in System32 directory 2 IoCs
Processes:
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exedescription ioc process File created C:\Windows\System32\d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Windows\System32\Info.hta d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe -
Drops file in Program Files directory 64 IoCs
Processes:
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212751.WMF d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files\Java\jre7\lib\zi\America\Fortaleza.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14580_.GIF d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL092.XML d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureA.png d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\PREVIEW.GIF.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0292982.WMF.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.DPV.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105520.WMF.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\24.png d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143745.GIF.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qyzylorda d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\CANYON.ELM d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_ON.GIF d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_down_BIDI.png d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02265_.WMF d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MOFL.DLL d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\ARROW.WAV.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\Office64WW.XML.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00586_.WMF.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libdrawable_plugin.dll.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\MCESidebarCtrl.dll d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_es.properties.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195342.WMF.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.dub.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Antigua.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18225_.WMF d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File created C:\Program Files\VideoLAN\VLC\plugins\control\libwin_hotkeys_plugin.dll.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\PREVIEW.GIF.id-778F0FFC.[datadecrypt@qq.com].ETH d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 928 vssadmin.exe 1920 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exepid process 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exevssvc.exedescription pid process Token: 33 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe Token: SeIncBasePriorityPrivilege 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe Token: SeBackupPrivilege 1216 vssvc.exe Token: SeRestorePrivilege 1216 vssvc.exe Token: SeAuditPrivilege 1216 vssvc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.execmd.execmd.exedescription pid process target process PID 772 wrote to memory of 1540 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe cmd.exe PID 772 wrote to memory of 1540 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe cmd.exe PID 772 wrote to memory of 1540 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe cmd.exe PID 772 wrote to memory of 1540 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe cmd.exe PID 1540 wrote to memory of 1884 1540 cmd.exe mode.com PID 1540 wrote to memory of 1884 1540 cmd.exe mode.com PID 1540 wrote to memory of 1884 1540 cmd.exe mode.com PID 1540 wrote to memory of 928 1540 cmd.exe vssadmin.exe PID 1540 wrote to memory of 928 1540 cmd.exe vssadmin.exe PID 1540 wrote to memory of 928 1540 cmd.exe vssadmin.exe PID 772 wrote to memory of 1660 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe cmd.exe PID 772 wrote to memory of 1660 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe cmd.exe PID 772 wrote to memory of 1660 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe cmd.exe PID 772 wrote to memory of 1660 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe cmd.exe PID 772 wrote to memory of 1752 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe mshta.exe PID 772 wrote to memory of 1752 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe mshta.exe PID 772 wrote to memory of 1752 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe mshta.exe PID 772 wrote to memory of 1752 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe mshta.exe PID 1660 wrote to memory of 1924 1660 cmd.exe mode.com PID 1660 wrote to memory of 1924 1660 cmd.exe mode.com PID 1660 wrote to memory of 1924 1660 cmd.exe mode.com PID 772 wrote to memory of 1684 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe mshta.exe PID 772 wrote to memory of 1684 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe mshta.exe PID 772 wrote to memory of 1684 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe mshta.exe PID 772 wrote to memory of 1684 772 d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe mshta.exe PID 1660 wrote to memory of 1920 1660 cmd.exe vssadmin.exe PID 1660 wrote to memory of 1920 1660 cmd.exe vssadmin.exe PID 1660 wrote to memory of 1920 1660 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe"C:\Users\Admin\AppData\Local\Temp\d0f8c1a00ebbdfec24e2b4074515ebb5d1f22930f3cf828e728628326f315fd9.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
50d525d435026f7d6675214c9e49d265
SHA12d8f335517e3ba066880b29efab231f64e0cd1d9
SHA256554a2ca578c4b1c5a4ed2ff7af14502ad152484d548e948e91d27cd9d9734f38
SHA5120301155c491e548e93242d7b9440eead7031b76f0f784ac570f59350f471638a0ba7f3e6af8343d38102ead881a05b95971635d435d65010b294ce6d227c9260
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
50d525d435026f7d6675214c9e49d265
SHA12d8f335517e3ba066880b29efab231f64e0cd1d9
SHA256554a2ca578c4b1c5a4ed2ff7af14502ad152484d548e948e91d27cd9d9734f38
SHA5120301155c491e548e93242d7b9440eead7031b76f0f784ac570f59350f471638a0ba7f3e6af8343d38102ead881a05b95971635d435d65010b294ce6d227c9260
-
memory/772-60-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/772-64-0x0000000002500000-0x0000000002580000-memory.dmpFilesize
512KB
-
memory/772-65-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/772-59-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/928-63-0x0000000000000000-mapping.dmp
-
memory/1540-61-0x0000000000000000-mapping.dmp
-
memory/1660-81-0x0000000000000000-mapping.dmp
-
memory/1684-84-0x0000000000000000-mapping.dmp
-
memory/1752-82-0x0000000000000000-mapping.dmp
-
memory/1884-62-0x0000000000000000-mapping.dmp
-
memory/1920-85-0x0000000000000000-mapping.dmp
-
memory/1924-83-0x0000000000000000-mapping.dmp