dharma | 6f42c1ebd35d720b3601609be2dec2dfcd3edaca205ceb144e31d2c22c281f5f

General

Target

?????????? 1 +??????????.scr
Size

335KB
MD5

ea54ac4b573864a58e912bc1296e6b3d
SHA1

cb0b48ec0e1c0da1b46e35c7fc7e498b6439a9ca
SHA256

82cc54a2d2620e98de7729569627dc794b4d53096f74e5b6fae2fdb227d63d1d
SHA512

712e6c66cd158ba9b112f3f00e612ea921b94c664f07a3124b45517d24a7eb6b75f9d0f4c3bc9f8c38af810f1659cefeec6af4dd4bcd3feba512848ed369e3ab

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail help@x-mail.pro Write this ID in the title of your message E4458C87 In case of no answer in 24 hours write us to theese e-mails: help@x-mail.pro You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

help@x-mail.pro

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

__________ 1 +__________.scr

description ioc process

File opened for modification C:\Users\Admin\Pictures\ResumeUnregister.tiff __________ 1 +__________.scr

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ResumeUnregister.tiff	__________ 1 +__________.scr

Drops startup file 5 IoCs

Processes:

__________ 1 +__________.scr

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	__________ 1 +__________.scr
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__________ 1 +__________.scr	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	__________ 1 +__________.scr
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

__________ 1 +__________.scr

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\__________ 1 +__________.scr = "C:\\Windows\\System32\\__________ 1 +__________.scr"	__________ 1 +__________.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	__________ 1 +__________.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	__________ 1 +__________.scr

Drops desktop.ini file(s) 64 IoCs

Processes:

__________ 1 +__________.scr

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YJH7S53B\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Public\Desktop\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Public\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Searches\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Public\Documents\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	__________ 1 +__________.scr
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5LQN3UAD\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0JX876I\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Public\Downloads\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5V37SD41\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Links\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\EEQJXKAI\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Documents\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7RK1CK32\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Videos\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Public\Pictures\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files\desktop.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	__________ 1 +__________.scr

Drops file in System32 directory 2 IoCs

Processes:

__________ 1 +__________.scr

description	ioc	process
File created	C:\Windows\System32\Info.hta	__________ 1 +__________.scr
File created	C:\Windows\System32\__________ 1 +__________.scr	__________ 1 +__________.scr

Suspicious use of SetThreadContext 1 IoCs

Processes:

__________ 1 +__________.scr

description pid process target process

PID 1976 set thread context of 1328 1976 __________ 1 +__________.scr __________ 1 +__________.scr

description	pid	process	target process
PID 1976 set thread context of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr

Drops file in Program Files directory 64 IoCs

Processes:

__________ 1 +__________.scr

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OFFLINE.ICO.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\gadget.xml	__________ 1 +__________.scr
File created	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\PREVIEW.GIF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099183.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\updater.jar.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	__________ 1 +__________.scr
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199473.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Details.accdt.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.oracle.jmc.executable.win32.win32.x86_64_5.5.0	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02790_.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert.css.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090777.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0290548.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\settings.html	__________ 1 +__________.scr
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\THMBNAIL.PNG.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00049_.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.XML	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195320.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR11F.GIF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotx.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll	__________ 1 +__________.scr
File created	C:\Program Files\Java\jre7\lib\fontconfig.properties.src.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Hobart.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.dll.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN010.XML	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OUTEX2.ECF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198021.WMF.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115863.GIF	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDEC.CFG.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Windows Mail\en-US\msoeres.dll.mui	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\PREVIEW.GIF	__________ 1 +__________.scr
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090386.WMF	__________ 1 +__________.scr
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MUOPTIN.DLL.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.ELM.id-E4458C87.[help@x-mail.pro].combo	__________ 1 +__________.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1956 vssadmin.exe
1836 vssadmin.exe

pid	process
1956	vssadmin.exe
1836	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

__________ 1 +__________.scr__________ 1 +__________.scr

pid	process
1976	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr
1328	__________ 1 +__________.scr

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 1104 vssvc.exe
Token: SeRestorePrivilege 1104 vssvc.exe
Token: SeAuditPrivilege 1104 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

__________ 1 +__________.scr__________ 1 +__________.scrcmd.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr
PID 1976 wrote to memory of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr
PID 1976 wrote to memory of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr
PID 1976 wrote to memory of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr
PID 1976 wrote to memory of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr
PID 1976 wrote to memory of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr
PID 1976 wrote to memory of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr
PID 1976 wrote to memory of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr
PID 1976 wrote to memory of 1328	1976	__________ 1 +__________.scr	__________ 1 +__________.scr
PID 1328 wrote to memory of 1012	1328	__________ 1 +__________.scr	cmd.exe
PID 1328 wrote to memory of 1012	1328	__________ 1 +__________.scr	cmd.exe
PID 1328 wrote to memory of 1012	1328	__________ 1 +__________.scr	cmd.exe
PID 1328 wrote to memory of 1012	1328	__________ 1 +__________.scr	cmd.exe
PID 1012 wrote to memory of 592	1012	cmd.exe	mode.com
PID 1012 wrote to memory of 592	1012	cmd.exe	mode.com
PID 1012 wrote to memory of 592	1012	cmd.exe	mode.com
PID 1012 wrote to memory of 1836	1012	cmd.exe	vssadmin.exe
PID 1012 wrote to memory of 1836	1012	cmd.exe	vssadmin.exe
PID 1012 wrote to memory of 1836	1012	cmd.exe	vssadmin.exe
PID 1328 wrote to memory of 1196	1328	__________ 1 +__________.scr	cmd.exe
PID 1328 wrote to memory of 1196	1328	__________ 1 +__________.scr	cmd.exe
PID 1328 wrote to memory of 1196	1328	__________ 1 +__________.scr	cmd.exe
PID 1328 wrote to memory of 1196	1328	__________ 1 +__________.scr	cmd.exe
PID 1196 wrote to memory of 468	1196	cmd.exe	mode.com
PID 1196 wrote to memory of 468	1196	cmd.exe	mode.com
PID 1196 wrote to memory of 468	1196	cmd.exe	mode.com
PID 1196 wrote to memory of 1956	1196	cmd.exe	vssadmin.exe
PID 1196 wrote to memory of 1956	1196	cmd.exe	vssadmin.exe
PID 1196 wrote to memory of 1956	1196	cmd.exe	vssadmin.exe
PID 1328 wrote to memory of 1736	1328	__________ 1 +__________.scr	mshta.exe
PID 1328 wrote to memory of 1736	1328	__________ 1 +__________.scr	mshta.exe
PID 1328 wrote to memory of 1736	1328	__________ 1 +__________.scr	mshta.exe
PID 1328 wrote to memory of 1736	1328	__________ 1 +__________.scr	mshta.exe
PID 1328 wrote to memory of 1200	1328	__________ 1 +__________.scr	mshta.exe
PID 1328 wrote to memory of 1200	1328	__________ 1 +__________.scr	mshta.exe
PID 1328 wrote to memory of 1200	1328	__________ 1 +__________.scr	mshta.exe
PID 1328 wrote to memory of 1200	1328	__________ 1 +__________.scr	mshta.exe

C:\Users\Admin\AppData\Local\Temp\__________ 1 +__________.scr
"C:\Users\Admin\AppData\Local\Temp\__________ 1 +__________.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\__________ 1 +__________.scr
"C:\Users\Admin\AppData\Local\Temp\__________ 1 +__________.scr"
2⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:592

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1836

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:468

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1956

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
- Modifies Internet Explorer settings
PID:1736

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
- Modifies Internet Explorer settings
PID:1200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
5b9444a4edd1b9d88955c8de49a87328

SHA1
7f4606f52f7f6529e8642d5217fdaccfd22c6df6

SHA256
65cb17358c9c02f69e77fbd2867ad13e9cb8455aae82c75840dfdd209c531eeb

SHA512
e55ba0442002d91981228679d3aff6fc364e996ed937b1cc7e6cc5303ef90835985e9cbee66d203e970209f8b4589ad3d5adfb950339d7bf8f6e2c5a21a8cf86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
5b9444a4edd1b9d88955c8de49a87328

SHA1
7f4606f52f7f6529e8642d5217fdaccfd22c6df6

SHA256
65cb17358c9c02f69e77fbd2867ad13e9cb8455aae82c75840dfdd209c531eeb

SHA512
e55ba0442002d91981228679d3aff6fc364e996ed937b1cc7e6cc5303ef90835985e9cbee66d203e970209f8b4589ad3d5adfb950339d7bf8f6e2c5a21a8cf86

Download Submit
memory/468-75-0x0000000000000000-mapping.dmp

Download
memory/592-70-0x0000000000000000-mapping.dmp

Download
memory/1012-69-0x0000000000000000-mapping.dmp

Download
memory/1196-74-0x0000000000000000-mapping.dmp

Download
memory/1200-99-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Filesize
64KB

Download
memory/1200-79-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmp

Filesize
8KB

Download
memory/1200-78-0x0000000000000000-mapping.dmp

Download
memory/1328-64-0x000000000040A9D0-mapping.dmp

Download
memory/1328-68-0x0000000076A21000-0x0000000076A23000-memory.dmp

Filesize
8KB

Download
memory/1328-63-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1328-67-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1328-71-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1328-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1328-72-0x00000000008D0000-0x000000000093E200-memory.dmp

Filesize
440KB

Download
memory/1328-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1328-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1328-61-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1736-77-0x0000000000000000-mapping.dmp

Download
memory/1836-73-0x0000000000000000-mapping.dmp

Download
memory/1956-76-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x00000000008D0000-0x000000000093E200-memory.dmp

Filesize
440KB

Download
memory/1976-65-0x00000000008D0000-0x000000000093E200-memory.dmp

Filesize
440KB

Download
memory/1976-55-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads