Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
10-06-2021 11:02
Static task
static1
Behavioral task
behavioral1
Sample
1c_bitrix.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1c_bitrix.exe
Resource
win10v20210410
General
-
Target
1c_bitrix.exe
-
Size
92KB
-
MD5
80b21955369b73d9c3b73214905c8ba7
-
SHA1
c3b6c20dd9f7d9b3246683952db3b1800e19664e
-
SHA256
1af26c9d78b02d5b43e43029645046aa2544cf43f9cf068cb6188b5261db25bb
-
SHA512
f3a5c5c496e552c0f8853b45ce06f451187cc2d73a1eea242bbd9d641245f79a6ddc08eae7b35ef14ad94a2b575d5facb05a4e8867391cd2df3728c4b41c69c7
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
xcsset@criptext.com
xcsset@aol.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1c_bitrix.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnableHide.tiff 1c_bitrix.exe File opened for modification C:\Users\Admin\Pictures\SetUse.tiff 1c_bitrix.exe File opened for modification C:\Users\Admin\Pictures\SubmitUnpublish.tiff 1c_bitrix.exe -
Drops startup file 5 IoCs
Processes:
1c_bitrix.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1c_bitrix.exe 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 1c_bitrix.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta 1c_bitrix.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
1c_bitrix.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1c_bitrix.exe = "C:\\Windows\\System32\\1c_bitrix.exe" 1c_bitrix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" 1c_bitrix.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" 1c_bitrix.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
1c_bitrix.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Links\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 1c_bitrix.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 1c_bitrix.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Public\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 1c_bitrix.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Public\Music\desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu Places\desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Music\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini 1c_bitrix.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Public\Videos\desktop.ini 1c_bitrix.exe File opened for modification C:\Program Files\desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Public\Documents\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini 1c_bitrix.exe File opened for modification C:\Program Files (x86)\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 1c_bitrix.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini 1c_bitrix.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 1c_bitrix.exe -
Drops file in System32 directory 2 IoCs
Processes:
1c_bitrix.exedescription ioc process File created C:\Windows\System32\1c_bitrix.exe 1c_bitrix.exe File created C:\Windows\System32\Info.hta 1c_bitrix.exe -
Drops file in Program Files directory 64 IoCs
Processes:
1c_bitrix.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-400.png 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons.png.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteshare.exe 1c_bitrix.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\JavaAccessBridge-64.dll.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\1px.png 1c_bitrix.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\ui-strings.js.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-convert-l1-1-0.dll.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-40.png 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\ui-strings.js.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pl-pl\ui-strings.js.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\en-gb\wintlim.dll 1c_bitrix.exe File created C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageWideTile.scale-200.png 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-200.png 1c_bitrix.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms 1c_bitrix.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Common.v4.0.Utilities.dll 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons.png.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_fw.png 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\osfsharedimm.dll 1c_bitrix.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-oob.xrm-ms 1c_bitrix.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\BLUEPRNT.INF.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Program Files\Mozilla Firefox\updater.exe.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-100.png 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\ui-strings.js 1c_bitrix.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\msasxpress.dll.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\sr_16x11.png 1c_bitrix.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdtv_plugin.dll.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100_contrast-black.png 1c_bitrix.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-ms.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\bg_get.svg.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_de.properties.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_fillandsign_18.svg 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js 1c_bitrix.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_ellipses_selected-hover.svg 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\SharpDXEngine\Rendering\Shaders\Builtin\Bin\FullScreenQuad_VS.fxo 1c_bitrix.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar 1c_bitrix.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 1c_bitrix.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\ui-strings.js.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\MySharePoints.ico.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\msptlsimm.dll 1c_bitrix.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\pw_16x11.png 1c_bitrix.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_opencarat_18.svg.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-time-l1-1-0.dll 1c_bitrix.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.id-41EB61BF.[xcsset@criptext.com].xcss 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\heart_icon.png 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\et_60x42.png 1c_bitrix.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-100.png 1c_bitrix.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1240 vssadmin.exe 1568 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1c_bitrix.exepid process 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe 1736 1c_bitrix.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2808 vssvc.exe Token: SeRestorePrivilege 2808 vssvc.exe Token: SeAuditPrivilege 2808 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
1c_bitrix.execmd.execmd.exedescription pid process target process PID 1736 wrote to memory of 912 1736 1c_bitrix.exe cmd.exe PID 1736 wrote to memory of 912 1736 1c_bitrix.exe cmd.exe PID 912 wrote to memory of 3528 912 cmd.exe mode.com PID 912 wrote to memory of 3528 912 cmd.exe mode.com PID 912 wrote to memory of 1240 912 cmd.exe vssadmin.exe PID 912 wrote to memory of 1240 912 cmd.exe vssadmin.exe PID 1736 wrote to memory of 264 1736 1c_bitrix.exe cmd.exe PID 1736 wrote to memory of 264 1736 1c_bitrix.exe cmd.exe PID 264 wrote to memory of 908 264 cmd.exe mode.com PID 264 wrote to memory of 908 264 cmd.exe mode.com PID 264 wrote to memory of 1568 264 cmd.exe vssadmin.exe PID 264 wrote to memory of 1568 264 cmd.exe vssadmin.exe PID 1736 wrote to memory of 2708 1736 1c_bitrix.exe mshta.exe PID 1736 wrote to memory of 2708 1736 1c_bitrix.exe mshta.exe PID 1736 wrote to memory of 3024 1736 1c_bitrix.exe mshta.exe PID 1736 wrote to memory of 3024 1736 1c_bitrix.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c_bitrix.exe"C:\Users\Admin\AppData\Local\Temp\1c_bitrix.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
874468a0021a7b8338fb896a23e73dac
SHA1dfef12ad8528b6182e233e8cff17d4814708f524
SHA256f8ce96a14ca8626a49199ce46e1596c27e17606a772cb0ab6de73070ee686548
SHA512af370348ccd7a93e843920334acc214b4a681afae9197f477014a527300ce57dc5f85d6cf1580eb4cf82ec869ee64722eb6dc6fcbddfda7f81a2a0acd012873a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
874468a0021a7b8338fb896a23e73dac
SHA1dfef12ad8528b6182e233e8cff17d4814708f524
SHA256f8ce96a14ca8626a49199ce46e1596c27e17606a772cb0ab6de73070ee686548
SHA512af370348ccd7a93e843920334acc214b4a681afae9197f477014a527300ce57dc5f85d6cf1580eb4cf82ec869ee64722eb6dc6fcbddfda7f81a2a0acd012873a
-
C:\Users\Public\Desktop\FILES ENCRYPTED.txtMD5
2a59427d081d35ce74134ca45a8dda5c
SHA11a651e68628e147639d7defce830b3c04f9bf3ba
SHA256468a30ecff85635df393a214872dd9a2a8c53a66db9d2f07926a66e82a20e99e
SHA512dc93fc3bcdfc1e7e135aa32a852359ccf750b3992a0547ba7075d1d0fab686a34545924aea6bb279bab49e26a64de7c0b11709f0a7f4bd262bbb18df694f9458
-
memory/264-117-0x0000000000000000-mapping.dmp
-
memory/908-118-0x0000000000000000-mapping.dmp
-
memory/912-114-0x0000000000000000-mapping.dmp
-
memory/1240-116-0x0000000000000000-mapping.dmp
-
memory/1568-119-0x0000000000000000-mapping.dmp
-
memory/2708-120-0x0000000000000000-mapping.dmp
-
memory/3024-121-0x0000000000000000-mapping.dmp
-
memory/3528-115-0x0000000000000000-mapping.dmp