Analysis
-
max time kernel
150s -
max time network
35s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
31-05-2021 00:30
Static task
static1
Behavioral task
behavioral1
Sample
winhost.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
winhost.exe
Resource
win10v20210408
General
-
Target
winhost.exe
-
Size
92KB
-
MD5
127bebd839df1d611946f8f780b65900
-
SHA1
9a13099be8d705f1092539423edec6c773b464e5
-
SHA256
3ed05c9b2bec17e067eae1a52f65d2e06232e77c754d0608d39408482a38ff9f
-
SHA512
6978bda069b05bcee630be6f0d139edd598172726e943ff26bf1f1356ba6bc7a7c332328da9dd9c46e9a2cfb467fa545490a561b8f1f040d15abf4fe0cdcc5dc
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
delta@onionmail.org
delta@bingzone.net
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 5 IoCs
Processes:
winhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta winhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
winhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe" winhost.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini winhost.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\desktop.ini winhost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Music\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini winhost.exe File opened for modification C:\Users\Public\Documents\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VFDYFLB4\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini winhost.exe File opened for modification C:\Program Files\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini winhost.exe File opened for modification C:\Program Files (x86)\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Public\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini winhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P8HHGB03\desktop.ini winhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
winhost.exedescription ioc process File created C:\Windows\System32\winhost.exe winhost.exe File created C:\Windows\System32\Info.hta winhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
winhost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS2SWOOS.POC.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01015_.WMF winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.dll.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_10.MID winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHMAIN.DLL winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\zh-CN.pak winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04384_.WMF winhost.exe File created C:\Program Files\Java\jre7\bin\unpack.dll.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspatializer_plugin.dll winhost.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198494.WMF winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_cycle_plugin.dll.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232797.WMF winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\AUTHOR.XSL.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files\7-Zip\Lang\vi.txt.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18207_.WMF.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl winhost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10972_.GIF.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157167.WMF.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185790.WMF.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\fa.pak winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01748_.GIF.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DBGHELP.DLL winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN081.XML winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10298_.GIF.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll winhost.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\THMBNAIL.PNG.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp winhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_pressed.png winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx winhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00526_.WMF.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105320.WMF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN082.XML winhost.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\System.AddIn.dll.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar winhost.exe File created C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBHD.XML.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SMSL.ICO.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01638_.WMF.id-085DA947.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME39.CSS.id-085DA947.[delta@onionmail.org].DELTA winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1836 vssadmin.exe 528 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winhost.exepid process 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe 2000 winhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 112 vssvc.exe Token: SeRestorePrivilege 112 vssvc.exe Token: SeAuditPrivilege 112 vssvc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
winhost.execmd.execmd.exedescription pid process target process PID 2000 wrote to memory of 1728 2000 winhost.exe cmd.exe PID 2000 wrote to memory of 1728 2000 winhost.exe cmd.exe PID 2000 wrote to memory of 1728 2000 winhost.exe cmd.exe PID 2000 wrote to memory of 1728 2000 winhost.exe cmd.exe PID 1728 wrote to memory of 836 1728 cmd.exe mode.com PID 1728 wrote to memory of 836 1728 cmd.exe mode.com PID 1728 wrote to memory of 836 1728 cmd.exe mode.com PID 1728 wrote to memory of 1836 1728 cmd.exe vssadmin.exe PID 1728 wrote to memory of 1836 1728 cmd.exe vssadmin.exe PID 1728 wrote to memory of 1836 1728 cmd.exe vssadmin.exe PID 2000 wrote to memory of 1184 2000 winhost.exe cmd.exe PID 2000 wrote to memory of 1184 2000 winhost.exe cmd.exe PID 2000 wrote to memory of 1184 2000 winhost.exe cmd.exe PID 2000 wrote to memory of 1184 2000 winhost.exe cmd.exe PID 1184 wrote to memory of 1664 1184 cmd.exe mode.com PID 1184 wrote to memory of 1664 1184 cmd.exe mode.com PID 1184 wrote to memory of 1664 1184 cmd.exe mode.com PID 1184 wrote to memory of 528 1184 cmd.exe vssadmin.exe PID 1184 wrote to memory of 528 1184 cmd.exe vssadmin.exe PID 1184 wrote to memory of 528 1184 cmd.exe vssadmin.exe PID 2000 wrote to memory of 268 2000 winhost.exe mshta.exe PID 2000 wrote to memory of 268 2000 winhost.exe mshta.exe PID 2000 wrote to memory of 268 2000 winhost.exe mshta.exe PID 2000 wrote to memory of 268 2000 winhost.exe mshta.exe PID 2000 wrote to memory of 944 2000 winhost.exe mshta.exe PID 2000 wrote to memory of 944 2000 winhost.exe mshta.exe PID 2000 wrote to memory of 944 2000 winhost.exe mshta.exe PID 2000 wrote to memory of 944 2000 winhost.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\winhost.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
e3664bc9e48a609ce43bfcac2fab96de
SHA1a12ce37af83a1c02998313506e5bf5ee882107a0
SHA256f6aa267c754210c7f5ab4cd5df8d02194b5e1de007d0bc7fcdc5a40c3e87c6b0
SHA51240c16e938fb5fdf28bbb1822548cdc76d4faeaf7084a0693fd7dc9ec870831fee0e646d2e91cc23cdc3af3c19f2b346691172aad796e6188f9c44fb7ea24d55b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
e3664bc9e48a609ce43bfcac2fab96de
SHA1a12ce37af83a1c02998313506e5bf5ee882107a0
SHA256f6aa267c754210c7f5ab4cd5df8d02194b5e1de007d0bc7fcdc5a40c3e87c6b0
SHA51240c16e938fb5fdf28bbb1822548cdc76d4faeaf7084a0693fd7dc9ec870831fee0e646d2e91cc23cdc3af3c19f2b346691172aad796e6188f9c44fb7ea24d55b
-
memory/268-66-0x0000000000000000-mapping.dmp
-
memory/528-65-0x0000000000000000-mapping.dmp
-
memory/836-61-0x0000000000000000-mapping.dmp
-
memory/944-67-0x0000000000000000-mapping.dmp
-
memory/1184-63-0x0000000000000000-mapping.dmp
-
memory/1664-64-0x0000000000000000-mapping.dmp
-
memory/1728-60-0x0000000000000000-mapping.dmp
-
memory/1836-62-0x0000000000000000-mapping.dmp
-
memory/2000-59-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB