dharma | 0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43

General

Target

payload.bin.exe
Size

92KB
MD5

a0dd1dfbac4b2aaed94b2065a9c9f30c
SHA1

b797000407eb333dc80777dd088204179b62fb5c
SHA256

0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43
SHA512

13949bcbd0a6d7efee4e466f9f8818bd4b0643f8bc1116cd302b9b72808dbe018e30aa36d1edd4474ebf590d5d29438247f391988b6b2b5a5188d79a47ae1229
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4AQp27xRgjGri0wEeKirLWP6d7cH:Qw+asqN5aW/hL+pwl2RsivPd

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

payload.bin.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\RegisterComplete.tiff payload.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RegisterComplete.tiff	payload.bin.exe

Drops startup file 5 IoCs

Processes:

payload.bin.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bin.exe	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	payload.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	payload.bin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

payload.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payload.bin.exe = "C:\\Windows\\System32\\payload.bin.exe"	payload.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	payload.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	payload.bin.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

payload.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZJ9QW42R\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	payload.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\77C45YYF\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8J80AB2T\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E01563NX\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	payload.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	payload.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	payload.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UVP2VCE7\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files\desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0P7N10G6\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	payload.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZA6WRM0K\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	payload.bin.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8KR51HKN\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	payload.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	payload.bin.exe

Drops file in System32 directory 2 IoCs

Processes:

payload.bin.exe

description ioc process

File created C:\Windows\System32\payload.bin.exe payload.bin.exe
File created C:\Windows\System32\Info.hta payload.bin.exe

description	ioc	process
File created	C:\Windows\System32\payload.bin.exe	payload.bin.exe
File created	C:\Windows\System32\Info.hta	payload.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

payload.bin.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.INI.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152882.WMF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0187423.WMF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR12F.GIF	payload.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_dummy_plugin.dll.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00687_.WMF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js	payload.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\content-types.properties	payload.bin.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLMAIL.FAE.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TWORIENT.DLL	payload.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234000.WMF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js	payload.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107492.WMF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp	payload.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	payload.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css	payload.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02009_.WMF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar	payload.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG	payload.bin.exe
File created	C:\Program Files\7-Zip\7-zip.chm.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107300.WMF	payload.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf	payload.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll	payload.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jmx.jar.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKDECL.ICO	payload.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00428_.WMF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR45B.GIF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonUp_On.png	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00126_.GIF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_shmem.dll	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089992.WMF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21335_.GIF	payload.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00176_.GIF	payload.bin.exe
File created	C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll.id-1BDE4858.[[email protected]].ccd	payload.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html	payload.bin.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF.id-1BDE4858.[[email protected]].ccd	payload.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

336 vssadmin.exe
2980 vssadmin.exe

pid	process
336	vssadmin.exe
2980	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

payload.bin.exe

pid	process
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe
1040	payload.bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 328 vssvc.exe
Token: SeRestorePrivilege 328 vssvc.exe
Token: SeAuditPrivilege 328 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	328	vssvc.exe
Token: SeRestorePrivilege	328	vssvc.exe
Token: SeAuditPrivilege	328	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

payload.bin.execmd.execmd.exe

description	pid	process	target process
PID 1040 wrote to memory of 1108	1040	payload.bin.exe	cmd.exe
PID 1040 wrote to memory of 1108	1040	payload.bin.exe	cmd.exe
PID 1040 wrote to memory of 1108	1040	payload.bin.exe	cmd.exe
PID 1040 wrote to memory of 1108	1040	payload.bin.exe	cmd.exe
PID 1108 wrote to memory of 1032	1108	cmd.exe	mode.com
PID 1108 wrote to memory of 1032	1108	cmd.exe	mode.com
PID 1108 wrote to memory of 1032	1108	cmd.exe	mode.com
PID 1108 wrote to memory of 336	1108	cmd.exe	vssadmin.exe
PID 1108 wrote to memory of 336	1108	cmd.exe	vssadmin.exe
PID 1108 wrote to memory of 336	1108	cmd.exe	vssadmin.exe
PID 1040 wrote to memory of 2660	1040	payload.bin.exe	cmd.exe
PID 1040 wrote to memory of 2660	1040	payload.bin.exe	cmd.exe
PID 1040 wrote to memory of 2660	1040	payload.bin.exe	cmd.exe
PID 1040 wrote to memory of 2660	1040	payload.bin.exe	cmd.exe
PID 2660 wrote to memory of 2416	2660	cmd.exe	mode.com
PID 2660 wrote to memory of 2416	2660	cmd.exe	mode.com
PID 2660 wrote to memory of 2416	2660	cmd.exe	mode.com
PID 2660 wrote to memory of 2980	2660	cmd.exe	vssadmin.exe
PID 2660 wrote to memory of 2980	2660	cmd.exe	vssadmin.exe
PID 2660 wrote to memory of 2980	2660	cmd.exe	vssadmin.exe
PID 1040 wrote to memory of 2684	1040	payload.bin.exe	mshta.exe
PID 1040 wrote to memory of 2684	1040	payload.bin.exe	mshta.exe
PID 1040 wrote to memory of 2684	1040	payload.bin.exe	mshta.exe
PID 1040 wrote to memory of 2684	1040	payload.bin.exe	mshta.exe
PID 1040 wrote to memory of 1392	1040	payload.bin.exe	mshta.exe
PID 1040 wrote to memory of 1392	1040	payload.bin.exe	mshta.exe
PID 1040 wrote to memory of 1392	1040	payload.bin.exe	mshta.exe
PID 1040 wrote to memory of 1392	1040	payload.bin.exe	mshta.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\payload.bin.exe
"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1032

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:336

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2416

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2980

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2684

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:1392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id-1BDE4858.[[email protected]].ccd
Filesize
6.3MB

MD5
59d8b6914027e38ef362b0f4d0a13d77

SHA1
643db9dc90e4fa595193a6e76b6b141d6d3cff31

SHA256
39a8983a27112954804fbf08ed63db62aa1202a9cf1ea45aff6b24716d66a439

SHA512
e31e66522654c3c400225ef149ef7e68a58099ea96977d0ee8f1c37b09e12749eac5f9e4b9aee7fa3e7febef2fc4d9988b165c3c13ee2ce9bed8bd95fce33890

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
7KB

MD5
29b120e95da4b261808635e74909a078

SHA1
54a3a2818aa8d1551ffe57b06da130a6e43f8b8b

SHA256
5db5ab5e95a1bec4bceef4b785dbd3dd3f94ff0e94979b0a4a56957153aacee4

SHA512
be0e1ea236f785dde72dc631c7a4b2310a517b1d3dd7fa675fc8d713bda3780420dc2126cfb2e54c3f6e4ba3d929b6425d2838a130fbc48ba3bf916781de9838

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
7KB

MD5
29b120e95da4b261808635e74909a078

SHA1
54a3a2818aa8d1551ffe57b06da130a6e43f8b8b

SHA256
5db5ab5e95a1bec4bceef4b785dbd3dd3f94ff0e94979b0a4a56957153aacee4

SHA512
be0e1ea236f785dde72dc631c7a4b2310a517b1d3dd7fa675fc8d713bda3780420dc2126cfb2e54c3f6e4ba3d929b6425d2838a130fbc48ba3bf916781de9838

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads