Analysis
-
max time kernel
150s -
max time network
85s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
31-05-2021 00:30
Static task
static1
Behavioral task
behavioral1
Sample
winhost.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
winhost.exe
Resource
win10v20210408
General
-
Target
winhost.exe
-
Size
92KB
-
MD5
127bebd839df1d611946f8f780b65900
-
SHA1
9a13099be8d705f1092539423edec6c773b464e5
-
SHA256
3ed05c9b2bec17e067eae1a52f65d2e06232e77c754d0608d39408482a38ff9f
-
SHA512
6978bda069b05bcee630be6f0d139edd598172726e943ff26bf1f1356ba6bc7a7c332328da9dd9c46e9a2cfb467fa545490a561b8f1f040d15abf4fe0cdcc5dc
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
delta@onionmail.org
delta@bingzone.net
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 5 IoCs
Processes:
winhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-09546925.[delta@onionmail.org].DELTA winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta winhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
winhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" winhost.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini winhost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Music\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI winhost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Public\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini winhost.exe File opened for modification C:\Users\Public\Documents\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\desktop.ini winhost.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Links\desktop.ini winhost.exe File opened for modification C:\Program Files\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Program Files (x86)\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
winhost.exedescription ioc process File created C:\Windows\System32\winhost.exe winhost.exe File created C:\Windows\System32\Info.hta winhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
winhost.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e9aab164.pri winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ppd.xrm-ms winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\ui-strings.js winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\DarkTheme.acrotheme winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_11c.png winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.id-09546925.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.id-09546925.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ph_60x42.png winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Thought_Bubble.png winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\ui-strings.js winhost.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\jdwp.dll.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\oliver.png winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bug.png winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE winhost.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\AppxManifest.xml winhost.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fonts\LucidaBrightDemiBold.ttf.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-36.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-30_altform-unplated_contrast-white.png winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutImage.layoutdir-RTL.gif winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\ui-strings.js winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\LINEAR_RGB.pf.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-100.png winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20_altform-unplated.png winhost.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Amo.dll.id-09546925.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DatabaseServices.dll.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri winhost.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\Solve\autosolve_button_up.mobile.png winhost.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Windows Media Player\en-US\wmpnssci.dll.mui winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-pl.xrm-ms winhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\ui-strings.js.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\ui-strings.js winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.INF.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif.id-09546925.[delta@onionmail.org].DELTA winhost.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-ppd.xrm-ms winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\denim.jpg winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-150.png winhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\ui-strings.js.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ui-strings.js winhost.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui winhost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.id-09546925.[delta@onionmail.org].DELTA winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_background.jpg winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3380 vssadmin.exe 280 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winhost.exepid process 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe 668 winhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 216 vssvc.exe Token: SeRestorePrivilege 216 vssvc.exe Token: SeAuditPrivilege 216 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
winhost.execmd.execmd.exedescription pid process target process PID 668 wrote to memory of 2104 668 winhost.exe cmd.exe PID 668 wrote to memory of 2104 668 winhost.exe cmd.exe PID 2104 wrote to memory of 3136 2104 cmd.exe mode.com PID 2104 wrote to memory of 3136 2104 cmd.exe mode.com PID 2104 wrote to memory of 3380 2104 cmd.exe vssadmin.exe PID 2104 wrote to memory of 3380 2104 cmd.exe vssadmin.exe PID 668 wrote to memory of 560 668 winhost.exe cmd.exe PID 668 wrote to memory of 560 668 winhost.exe cmd.exe PID 560 wrote to memory of 3544 560 cmd.exe mode.com PID 560 wrote to memory of 3544 560 cmd.exe mode.com PID 560 wrote to memory of 280 560 cmd.exe vssadmin.exe PID 560 wrote to memory of 280 560 cmd.exe vssadmin.exe PID 668 wrote to memory of 2100 668 winhost.exe mshta.exe PID 668 wrote to memory of 2100 668 winhost.exe mshta.exe PID 668 wrote to memory of 2196 668 winhost.exe mshta.exe PID 668 wrote to memory of 2196 668 winhost.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\winhost.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
4c74e556683f7d229d804b52fc67a624
SHA1de3e900ff31bd4d5f7db0b1554975a1cccac77dd
SHA2565ad0c6f923456c7bfa04a0febbf15c9dd4988a444140831852cdcc1b74a4fdf4
SHA5123258a57a4d55a5a5d0bd92898f93c3c6efd347780d515f4c6d3e7a5a49d5d886cef4653cf81340e160a22eba6e9de04c37f269b851b5993c61e9edfc7ce48b8f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
4c74e556683f7d229d804b52fc67a624
SHA1de3e900ff31bd4d5f7db0b1554975a1cccac77dd
SHA2565ad0c6f923456c7bfa04a0febbf15c9dd4988a444140831852cdcc1b74a4fdf4
SHA5123258a57a4d55a5a5d0bd92898f93c3c6efd347780d515f4c6d3e7a5a49d5d886cef4653cf81340e160a22eba6e9de04c37f269b851b5993c61e9edfc7ce48b8f
-
memory/280-119-0x0000000000000000-mapping.dmp
-
memory/560-117-0x0000000000000000-mapping.dmp
-
memory/2100-120-0x0000000000000000-mapping.dmp
-
memory/2104-114-0x0000000000000000-mapping.dmp
-
memory/2196-121-0x0000000000000000-mapping.dmp
-
memory/3136-115-0x0000000000000000-mapping.dmp
-
memory/3380-116-0x0000000000000000-mapping.dmp
-
memory/3544-118-0x0000000000000000-mapping.dmp