dharma | 3366e3811e6efd2237a9f829af0551e46e79001ae05192e90ccf1d6c047312c1

General

Target

software.exe
Size

92KB
MD5

b75251731b56827c342c99aa971ba08f
SHA1

40b1c7755c51d2a01989129e789babb2b8b63ccf
SHA256

3366e3811e6efd2237a9f829af0551e46e79001ae05192e90ccf1d6c047312c1
SHA512

ddd9af6c117665383d74a81652d6f59f4967d1ca4be0b4456bc0680675c932d9f4b3448a560f343420909eb4cba7aa4f98ed7960e52783b85b220ed2b1b4f1e8

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED ENCRYPTED Don't worry, you can return all your files! If you want to restore them, write to the mail: [email protected] YOUR ID [email protected] ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DismountSubmit.tiff	software.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeRepair.tiff	software.exe

Drops startup file 5 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	software.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\software.exe	software.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

software.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\software.exe = "C:\\Windows\\System32\\software.exe"	software.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	software.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	software.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	software.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	software.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3456797065-1076791440-4146276586-1000\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	software.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JPBNSXHB\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1CRGOEB\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	software.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	software.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	software.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	software.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	software.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	software.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	software.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	software.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	software.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	software.exe

Drops file in System32 directory 2 IoCs

Processes:

software.exe

description ioc process

File created C:\Windows\System32\software.exe software.exe
File created C:\Windows\System32\Info.hta software.exe

description	ioc	process
File created	C:\Windows\System32\software.exe	software.exe
File created	C:\Windows\System32\Info.hta	software.exe

Drops file in Program Files directory 64 IoCs

Processes:

software.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml	software.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF	software.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kcms.dll.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\Java\jre7\lib\flavormap.properties.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEM.CFG	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02448_.WMF.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	software.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238927.WMF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Boise.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\validation.js.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveLetter.dotx.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaorar.dll	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.INF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08868_.WMF.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02390_.WMF.id-42A6D81F.[[email protected]].MS	software.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml.id-42A6D81F.[[email protected]].MS	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	software.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.id-42A6D81F.[[email protected]].MS	software.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

556 vssadmin.exe
1628 vssadmin.exe

pid	process
556	vssadmin.exe
1628	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1996 NOTEPAD.EXE

pid	process
1996	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

software.exe

pid	process
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe
1112	software.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1192 vssvc.exe
Token: SeRestorePrivilege 1192 vssvc.exe
Token: SeAuditPrivilege 1192 vssvc.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

mshta.exe

pid process

1688 mshta.exe

description	pid	process
Token: SeBackupPrivilege	1192	vssvc.exe
Token: SeRestorePrivilege	1192	vssvc.exe
Token: SeAuditPrivilege	1192	vssvc.exe

pid	process
1688	mshta.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

software.execmd.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 1120	1112	software.exe	cmd.exe
PID 1112 wrote to memory of 1120	1112	software.exe	cmd.exe
PID 1112 wrote to memory of 1120	1112	software.exe	cmd.exe
PID 1112 wrote to memory of 1120	1112	software.exe	cmd.exe
PID 1120 wrote to memory of 1756	1120	cmd.exe	mode.com
PID 1120 wrote to memory of 1756	1120	cmd.exe	mode.com
PID 1120 wrote to memory of 1756	1120	cmd.exe	mode.com
PID 1120 wrote to memory of 556	1120	cmd.exe	vssadmin.exe
PID 1120 wrote to memory of 556	1120	cmd.exe	vssadmin.exe
PID 1120 wrote to memory of 556	1120	cmd.exe	vssadmin.exe
PID 1112 wrote to memory of 1940	1112	software.exe	cmd.exe
PID 1112 wrote to memory of 1940	1112	software.exe	cmd.exe
PID 1112 wrote to memory of 1940	1112	software.exe	cmd.exe
PID 1112 wrote to memory of 1940	1112	software.exe	cmd.exe
PID 1940 wrote to memory of 1960	1940	cmd.exe	mode.com
PID 1940 wrote to memory of 1960	1940	cmd.exe	mode.com
PID 1940 wrote to memory of 1960	1940	cmd.exe	mode.com
PID 1940 wrote to memory of 1628	1940	cmd.exe	vssadmin.exe
PID 1940 wrote to memory of 1628	1940	cmd.exe	vssadmin.exe
PID 1940 wrote to memory of 1628	1940	cmd.exe	vssadmin.exe
PID 1112 wrote to memory of 1688	1112	software.exe	mshta.exe
PID 1112 wrote to memory of 1688	1112	software.exe	mshta.exe
PID 1112 wrote to memory of 1688	1112	software.exe	mshta.exe
PID 1112 wrote to memory of 1688	1112	software.exe	mshta.exe
PID 1112 wrote to memory of 1084	1112	software.exe	mshta.exe
PID 1112 wrote to memory of 1084	1112	software.exe	mshta.exe
PID 1112 wrote to memory of 1084	1112	software.exe	mshta.exe
PID 1112 wrote to memory of 1084	1112	software.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\software.exe
"C:\Users\Admin\AppData\Local\Temp\software.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1756

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:556

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1960

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1628

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1688

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:1084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MANUAL.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1996

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
MD5
4eb889d2cec5155687ce29cb810148b7

SHA1
4901b062b674cb2094cc07dabce9b507af83de89

SHA256
e3feca82c0084f2398b986a4e5522ed3ac94c39b33c0b172dd437e13f7d5286d

SHA512
47d10d81e4e4a89d2ac210a84730898e13d5e8af495b23f999c20b1255c006def3f99cdc147ebf1f997fa44ae7b8bdc14862fdcd686a224e3d218c7fed0fb908

Download Submit
C:\Users\Admin\Desktop\MANUAL.txt
MD5
0ae356a50c954704d1b44c3cc32f54f3

SHA1
4089c9021cb1cf3b13e7110b5c7cd1d0d9d4ce53

SHA256
ed1b2a23a7ebaec4b9c4ce5d9f25aebd93cbb7a02590c5e4e063b5d3b7131035

SHA512
56559757f6aa28345b74b19170f6783fc0a5551d7a6e3fe9189936c41e4f06693f3bdc8f15ea38fa834f2e47ffa9717174a66d3a887df2a06e92f59d5e63f168

Download Submit
memory/556-56-0x0000000000000000-mapping.dmp

Download
memory/1084-61-0x0000000000000000-mapping.dmp

Download
memory/1112-53-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1120-54-0x0000000000000000-mapping.dmp

Download
memory/1628-59-0x0000000000000000-mapping.dmp

Download
memory/1688-60-0x0000000000000000-mapping.dmp

Download
memory/1756-55-0x0000000000000000-mapping.dmp

Download
memory/1940-57-0x0000000000000000-mapping.dmp

Download
memory/1960-58-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads