Analysis
-
max time kernel
180s -
max time network
50s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
02-11-2021 08:56
Static task
static1
Behavioral task
behavioral1
Sample
software.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
software.exe
Resource
win10-en-20211014
General
-
Target
software.exe
-
Size
92KB
-
MD5
b75251731b56827c342c99aa971ba08f
-
SHA1
40b1c7755c51d2a01989129e789babb2b8b63ccf
-
SHA256
3366e3811e6efd2237a9f829af0551e46e79001ae05192e90ccf1d6c047312c1
-
SHA512
ddd9af6c117665383d74a81652d6f59f4967d1ca4be0b4456bc0680675c932d9f4b3448a560f343420909eb4cba7aa4f98ed7960e52783b85b220ed2b1b4f1e8
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
software.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DismountSubmit.tiff software.exe File opened for modification C:\Users\Admin\Pictures\InitializeRepair.tiff software.exe -
Drops startup file 5 IoCs
Processes:
software.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini software.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-42A6D81F.[[email protected]].MS software.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta software.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\software.exe software.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
software.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\software.exe = "C:\\Windows\\System32\\software.exe" software.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" software.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" software.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
software.exedescription ioc process File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini software.exe File opened for modification C:\Users\Public\Desktop\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini software.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini software.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini software.exe File opened for modification C:\Users\Admin\Searches\desktop.ini software.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini software.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini software.exe File opened for modification C:\Users\Admin\Videos\desktop.ini software.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini software.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini software.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini software.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini software.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3456797065-1076791440-4146276586-1000\desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini software.exe File opened for modification C:\Users\Public\Pictures\desktop.ini software.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini software.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini software.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JPBNSXHB\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1CRGOEB\desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini software.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini software.exe File opened for modification C:\Users\Public\Videos\desktop.ini software.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini software.exe File opened for modification C:\Program Files (x86)\desktop.ini software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini software.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini software.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini software.exe File opened for modification C:\Users\Admin\Documents\desktop.ini software.exe File opened for modification C:\Users\Public\Libraries\desktop.ini software.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini software.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini software.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini software.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini software.exe File opened for modification C:\Users\Public\Documents\desktop.ini software.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini software.exe File opened for modification C:\Users\Admin\Links\desktop.ini software.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini software.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini software.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini software.exe File opened for modification C:\Users\Admin\Music\desktop.ini software.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini software.exe -
Drops file in System32 directory 2 IoCs
Processes:
software.exedescription ioc process File created C:\Windows\System32\software.exe software.exe File created C:\Windows\System32\Info.hta software.exe -
Drops file in Program Files directory 64 IoCs
Processes:
software.exedescription ioc process File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLSLICER.DLL.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml software.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF software.exe File opened for modification C:\Program Files\Java\jre7\bin\kcms.dll.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\Java\jre7\lib\flavormap.properties.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadataresource.xsd.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEM.CFG software.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN110.XML.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe software.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02448_.WMF.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml software.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107512.WMF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238927.WMF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\Internet Explorer\perf_nt.dll software.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files\Java\jre7\lib\zi\America\Boise.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00452_.WMF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF software.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\validation.js.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185786.WMF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveLetter.dotx.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll software.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdaorar.dll software.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\DELETE.GIF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png software.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR20F.GIF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif software.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml software.exe File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21316_.GIF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\RMNSQUE.INF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08868_.WMF.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_over.gif.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png software.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein software.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02390_.WMF.id-42A6D81F.[[email protected]].MS software.exe File created C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml.id-42A6D81F.[[email protected]].MS software.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html software.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml.id-42A6D81F.[[email protected]].MS software.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 556 vssadmin.exe 1628 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1996 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
software.exepid process 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe 1112 software.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1192 vssvc.exe Token: SeRestorePrivilege 1192 vssvc.exe Token: SeAuditPrivilege 1192 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
mshta.exepid process 1688 mshta.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
software.execmd.execmd.exedescription pid process target process PID 1112 wrote to memory of 1120 1112 software.exe cmd.exe PID 1112 wrote to memory of 1120 1112 software.exe cmd.exe PID 1112 wrote to memory of 1120 1112 software.exe cmd.exe PID 1112 wrote to memory of 1120 1112 software.exe cmd.exe PID 1120 wrote to memory of 1756 1120 cmd.exe mode.com PID 1120 wrote to memory of 1756 1120 cmd.exe mode.com PID 1120 wrote to memory of 1756 1120 cmd.exe mode.com PID 1120 wrote to memory of 556 1120 cmd.exe vssadmin.exe PID 1120 wrote to memory of 556 1120 cmd.exe vssadmin.exe PID 1120 wrote to memory of 556 1120 cmd.exe vssadmin.exe PID 1112 wrote to memory of 1940 1112 software.exe cmd.exe PID 1112 wrote to memory of 1940 1112 software.exe cmd.exe PID 1112 wrote to memory of 1940 1112 software.exe cmd.exe PID 1112 wrote to memory of 1940 1112 software.exe cmd.exe PID 1940 wrote to memory of 1960 1940 cmd.exe mode.com PID 1940 wrote to memory of 1960 1940 cmd.exe mode.com PID 1940 wrote to memory of 1960 1940 cmd.exe mode.com PID 1940 wrote to memory of 1628 1940 cmd.exe vssadmin.exe PID 1940 wrote to memory of 1628 1940 cmd.exe vssadmin.exe PID 1940 wrote to memory of 1628 1940 cmd.exe vssadmin.exe PID 1112 wrote to memory of 1688 1112 software.exe mshta.exe PID 1112 wrote to memory of 1688 1112 software.exe mshta.exe PID 1112 wrote to memory of 1688 1112 software.exe mshta.exe PID 1112 wrote to memory of 1688 1112 software.exe mshta.exe PID 1112 wrote to memory of 1084 1112 software.exe mshta.exe PID 1112 wrote to memory of 1084 1112 software.exe mshta.exe PID 1112 wrote to memory of 1084 1112 software.exe mshta.exe PID 1112 wrote to memory of 1084 1112 software.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\software.exe"C:\Users\Admin\AppData\Local\Temp\software.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:1756
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:556 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:1960
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1628 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:1688 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
PID:1084
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\MANUAL.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
4eb889d2cec5155687ce29cb810148b7
SHA14901b062b674cb2094cc07dabce9b507af83de89
SHA256e3feca82c0084f2398b986a4e5522ed3ac94c39b33c0b172dd437e13f7d5286d
SHA51247d10d81e4e4a89d2ac210a84730898e13d5e8af495b23f999c20b1255c006def3f99cdc147ebf1f997fa44ae7b8bdc14862fdcd686a224e3d218c7fed0fb908
-
C:\Users\Admin\Desktop\MANUAL.txtMD5
0ae356a50c954704d1b44c3cc32f54f3
SHA14089c9021cb1cf3b13e7110b5c7cd1d0d9d4ce53
SHA256ed1b2a23a7ebaec4b9c4ce5d9f25aebd93cbb7a02590c5e4e063b5d3b7131035
SHA51256559757f6aa28345b74b19170f6783fc0a5551d7a6e3fe9189936c41e4f06693f3bdc8f15ea38fa834f2e47ffa9717174a66d3a887df2a06e92f59d5e63f168
-
memory/556-56-0x0000000000000000-mapping.dmp
-
memory/1084-61-0x0000000000000000-mapping.dmp
-
memory/1112-53-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/1120-54-0x0000000000000000-mapping.dmp
-
memory/1628-59-0x0000000000000000-mapping.dmp
-
memory/1688-60-0x0000000000000000-mapping.dmp
-
memory/1756-55-0x0000000000000000-mapping.dmp
-
memory/1940-57-0x0000000000000000-mapping.dmp
-
memory/1960-58-0x0000000000000000-mapping.dmp
-
memory/1996-63-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB