dharma | 7ae4167445cef80f080de5b84c6490a61c1834aa1e05fce43e611c5d054da858

Analysis

max time kernel
7s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3/5df6314b5c6f6bd151a5fda104d32655c5b.exe
Size

4.5MB
MD5

407ba61bab1c10cabf0b5a7c40d43041
SHA1

82d180dc50763c6a71f8449ef44e467afbc09e74
SHA256

5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3
SHA512

73bd51f5885587ec5c930d4ab0cd543b9b0479304c4a3c03d73abdd7b064a2ec4e8b01af45f7517072ce12daa2cfb679589603060438bfafa331a0b66b926f4a
SSDEEP

98304:BD9WybBsIt6XW7JD9ENTPZsz3yilw5OLEvvybN/aBDPsfut6e:BxWaBhP719CCzC2EO4vvyb5a1mu0e

Score

10^/10

dharma evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail nztz@tuta.io Write this ID in the title of your message 9754C293 In case of no answer in 24 hours write us to theese e-mails: nztz@tuta.io You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

nztz@tuta.io

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5df6314b5c6f6bd151a5fda104d32655c5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Drops startup file 1 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5df6314b5c6f6bd151a5fda104d32655c5b.exe	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine 5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5df6314b5c6f6bd151a5fda104d32655c5b.exe = "C:\\Windows\\System32\\5df6314b5c6f6bd151a5fda104d32655c5b.exe"	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3803511929-1339359695-2191195476-1000\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Drops file in System32 directory 1 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description ioc process

File created C:\Windows\System32\5df6314b5c6f6bd151a5fda104d32655c5b.exe 5df6314b5c6f6bd151a5fda104d32655c5b.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

pid process

3156 5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
File created	C:\Windows\System32\5df6314b5c6f6bd151a5fda104d32655c5b.exe	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Drops file in Program Files directory 64 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\netstandard.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.FileSystem.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.NetworkInformation.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Linq.Expressions.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Tasks.Parallel.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-fibers-l1-1-0.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-util-l1-1-0.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.TextWriterTraceListener.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\LICENSE.txt.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\dbgshim.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Globalization.Extensions.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-filesystem-l1-1-0.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.VisualBasic.Core.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.Win32.Primitives.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.Win32.Registry.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-conio-l1-1-0.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.CSharp.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.TraceSource.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Pipes.AccessControl.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.FileSystem.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-localization-l1-2-0.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.TypeExtensions.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.ThreadPool.dll.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt.id-9754C293.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

5836 vssadmin.exe
1432 vssadmin.exe

pid	process
5836	vssadmin.exe
1432	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

pid	process
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe
3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.execmd.exe

description	pid	process	target process
PID 3156 wrote to memory of 1752	3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 3156 wrote to memory of 1752	3156	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 1752 wrote to memory of 1060	1752	cmd.exe	mode.com
PID 1752 wrote to memory of 1060	1752	cmd.exe	mode.com

C:\Users\Admin\AppData\Local\Temp\5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3\5df6314b5c6f6bd151a5fda104d32655c5b.exe
"C:\Users\Admin\AppData\Local\Temp\5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3\5df6314b5c6f6bd151a5fda104d32655c5b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:1060

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5836

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:6628

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:6660

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:6096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6104

C:\Windows\system32\mode.com
mode con cp select=1251
1⤵
PID:5624

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-9754C293.[nztz@tuta.io].bip
Filesize
1.4MB

MD5
e946756aa0c3512ec9ed4674abac2df4

SHA1
7b2a252f444241adf7969849076bc923835940b1

SHA256
2a626fd6307c2294c019c677c577a797d16118f58505258c5c84db9a04353dd5

SHA512
1cfebf8ecc444409860035ffab878333f6883479c8acc0068dbe6368805b0889857ad466cbf19102806165c0942ef9efaaa2ef84ab538685fc27cb049fd0b325

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
3ea272f7d7ed3f33c7df670c7af9b6ec

SHA1
8d70e9f53305d0dede46b783a5d4147875d5d10f

SHA256
09f1ffe1bc924e1ed2881324a2e7fd822c25fcea88faadd34ecf8e825f158008

SHA512
b512ea135069ad381ecacbde3b04d34f0a0a7d884711ac3919cc765b05b620f372acfecef4f6637e04dc77d6c934c4706616b5cb513bc932e2c6af577e9843e2

Download Submit
memory/3156-0-0x0000000000400000-0x0000000000B54000-memory.dmp

Filesize
7.3MB

Download
memory/3156-1-0x0000000077114000-0x0000000077116000-memory.dmp

Filesize
8KB

Download
memory/3156-6-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/3156-5-0x0000000000400000-0x0000000000B54000-memory.dmp

Filesize
7.3MB

Download
memory/3156-5277-0x0000000000400000-0x0000000000B54000-memory.dmp

Filesize
7.3MB

Download