dharma | 7ae4167445cef80f080de5b84c6490a61c1834aa1e05fce43e611c5d054da858

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3/5df6314b5c6f6bd151a5fda104d32655c5b.exe
Size

4.5MB
MD5

407ba61bab1c10cabf0b5a7c40d43041
SHA1

82d180dc50763c6a71f8449ef44e467afbc09e74
SHA256

5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3
SHA512

73bd51f5885587ec5c930d4ab0cd543b9b0479304c4a3c03d73abdd7b064a2ec4e8b01af45f7517072ce12daa2cfb679589603060438bfafa331a0b66b926f4a
SSDEEP

98304:BD9WybBsIt6XW7JD9ENTPZsz3yilw5OLEvvybN/aBDPsfut6e:BxWaBhP719CCzC2EO4vvyb5a1mu0e

Score

10^/10

dharma evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail nztz@tuta.io Write this ID in the title of your message CE303D24 In case of no answer in 24 hours write us to theese e-mails: nztz@tuta.io You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

nztz@tuta.io

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5df6314b5c6f6bd151a5fda104d32655c5b.exe
Renames multiple (314) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5df6314b5c6f6bd151a5fda104d32655c5b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Drops startup file 5 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5df6314b5c6f6bd151a5fda104d32655c5b.exe	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine 5df6314b5c6f6bd151a5fda104d32655c5b.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5df6314b5c6f6bd151a5fda104d32655c5b.exe = "C:\\Windows\\System32\\5df6314b5c6f6bd151a5fda104d32655c5b.exe"	5df6314b5c6f6bd151a5fda104d32655c5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	5df6314b5c6f6bd151a5fda104d32655c5b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2WD6IYSB\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TQO7542V\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OZ66ZEGB\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MAOUTFV0\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52FOIFWV\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Drops file in System32 directory 2 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
File created	C:\Windows\System32\5df6314b5c6f6bd151a5fda104d32655c5b.exe	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Windows\System32\Info.hta	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

pid process

1792 5df6314b5c6f6bd151a5fda104d32655c5b.exe

Drops file in Program Files directory 64 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\WMPDMC.exe.mui	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\libarchive_plugin.dll.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185774.WMF	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\RM.DLL.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\11.png	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00306_.WMF	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Maroon.css.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01292_.GIF.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEMS.ICO	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297269.WMF	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8F.GIF	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\RenameSkip.pcx.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_choosefont.gif	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107456.WMF.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR51B.GIF.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXC.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213243.WMF.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\background.gif.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32B.GIF.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSClientManifest.man	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_plain_Thumbnail.bmp	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECURE.CFG	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN054.XML	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21535_.GIF	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libadpcm_plugin.dll	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG	5df6314b5c6f6bd151a5fda104d32655c5b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS.HXS.id-CE303D24.[nztz@tuta.io].bip	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2796 vssadmin.exe
2680 vssadmin.exe

pid	process
2796	vssadmin.exe
2680	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.exe

pid	process
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe
1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2600 vssvc.exe
Token: SeRestorePrivilege 2600 vssvc.exe
Token: SeAuditPrivilege 2600 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2600	vssvc.exe
Token: SeRestorePrivilege	2600	vssvc.exe
Token: SeAuditPrivilege	2600	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5df6314b5c6f6bd151a5fda104d32655c5b.execmd.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 2480	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 1792 wrote to memory of 2480	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 1792 wrote to memory of 2480	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 1792 wrote to memory of 2480	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 2480 wrote to memory of 1812	2480	cmd.exe	mode.com
PID 2480 wrote to memory of 1812	2480	cmd.exe	mode.com
PID 2480 wrote to memory of 1812	2480	cmd.exe	mode.com
PID 2480 wrote to memory of 2796	2480	cmd.exe	vssadmin.exe
PID 2480 wrote to memory of 2796	2480	cmd.exe	vssadmin.exe
PID 2480 wrote to memory of 2796	2480	cmd.exe	vssadmin.exe
PID 1792 wrote to memory of 1652	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 1792 wrote to memory of 1652	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 1792 wrote to memory of 1652	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 1792 wrote to memory of 1652	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	cmd.exe
PID 1652 wrote to memory of 3888	1652	cmd.exe	mode.com
PID 1652 wrote to memory of 3888	1652	cmd.exe	mode.com
PID 1652 wrote to memory of 3888	1652	cmd.exe	mode.com
PID 1652 wrote to memory of 2680	1652	cmd.exe	vssadmin.exe
PID 1652 wrote to memory of 2680	1652	cmd.exe	vssadmin.exe
PID 1652 wrote to memory of 2680	1652	cmd.exe	vssadmin.exe
PID 1792 wrote to memory of 3256	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	mshta.exe
PID 1792 wrote to memory of 3256	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	mshta.exe
PID 1792 wrote to memory of 3256	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	mshta.exe
PID 1792 wrote to memory of 3256	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	mshta.exe
PID 1792 wrote to memory of 3372	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	mshta.exe
PID 1792 wrote to memory of 3372	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	mshta.exe
PID 1792 wrote to memory of 3372	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	mshta.exe
PID 1792 wrote to memory of 3372	1792	5df6314b5c6f6bd151a5fda104d32655c5b.exe	mshta.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3\5df6314b5c6f6bd151a5fda104d32655c5b.exe
"C:\Users\Admin\AppData\Local\Temp\5df6314b5c6f6bd151a5fda104d32655c5bd8153be922b80069b22f1c1de9db3\5df6314b5c6f6bd151a5fda104d32655c5b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:3256

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:3372

C:\Windows\system32\mode.com
mode con cp select=1251
1⤵
PID:1812

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2796

C:\Windows\system32\mode.com
mode con cp select=1251
1⤵
PID:3888

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2680

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-CE303D24.[nztz@tuta.io].bip
Filesize
2.0MB

MD5
035787671e2bb43ea8b4e442717a829c

SHA1
4bc73e2d2f2eac14a29ce2f9623c5e29cadb40b2

SHA256
e187e1448ba2d84150dfbde0d9a474814b6fbb5f29562c49aea2501293cff3b4

SHA512
df5baee054747cafeec9a01ae51abcf3c7af2a78f73e2903deff05062dd7a26e04a4e8b0ff04473c77e0c944c3dc2128b610c13bbc70184e918e4105e1d56162

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
38864ff9c022b74cbd17765b791a967a

SHA1
ab54266251358643d4a99937e50f9dee8555a67f

SHA256
ac4b10173ce3d701b7f17f9171f2322a9b6d2915edd5ee00130042961ebc5c5a

SHA512
dba43b08b9db1267dc033635290edb0e970403f546198d8a22b75cfb6d7c6bd9ab8facd1f852a17922867b723e5c8c9a28827b2405a416a31f1039668579bede

Download Submit
memory/1792-0-0x0000000000400000-0x0000000000B54000-memory.dmp

Filesize
7.3MB

Download
memory/1792-1-0x0000000077C20000-0x0000000077C22000-memory.dmp

Filesize
8KB

Download
memory/1792-8-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1792-7-0x0000000000400000-0x0000000000B54000-memory.dmp

Filesize
7.3MB

Download
memory/1792-11017-0x0000000000400000-0x0000000000B54000-memory.dmp

Filesize
7.3MB

Download
memory/3372-20223-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads