dharma | 5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22

General

Target

2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
Size

92KB
MD5

0197eb32a39518adbc118ec0559a395c
SHA1

c81f411cb16e5692f7ea92eebb7f4120e4ad4129
SHA256

5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22
SHA512

97402aa309817bb12aa016b5d151158d3ea6bd5aee153ac726e66fda25f61e4dd6ae9a1274daba4eaab0a253bad3d38af2a04012cba0bdb9af0ef5ce209559d5
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4AR2DAQHPPyHn2OzT3R46F7pcwwTXO:Qw+asqN5aW/hL+v+Xl7l

Score

10^/10

dharma persistence ransomware

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All your files have been encrypted! Don't worry, you can return all your files! If you want to restore them, write to the mail: aerossh@cock.li YOUR ID aerossh@proton.me Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

aerossh@cock.li

aerossh@proton.me

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe = "C:\\Windows\\System32\\2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe"	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3601492379-692465709-652514833-1000\desktop.ini	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\desktop.ini	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

Drops file in System32 directory 1 IoCs

Processes:

2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

description	ioc	process
File created	C:\Windows\System32\2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Parity.fx	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Filters.xml	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\softedges.png	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msaddsr.dll	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jawt_md.h.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.id-68DA4445.[aerossh@nerdmail.co].AeR	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2796 vssadmin.exe
2468 vssadmin.exe

pid	process
2796	vssadmin.exe
2468	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

pid	process
2104	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
2104	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
2104	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
2104	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2816 vssvc.exe
Token: SeRestorePrivilege 2816 vssvc.exe
Token: SeAuditPrivilege 2816 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	2816	vssvc.exe
Token: SeAuditPrivilege	2816	vssvc.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.execmd.exe

description	pid	process	target process
PID 2104 wrote to memory of 2976	2104	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe	cmd.exe
PID 2104 wrote to memory of 2976	2104	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe	cmd.exe
PID 2104 wrote to memory of 2976	2104	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe	cmd.exe
PID 2104 wrote to memory of 2976	2104	2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe	cmd.exe
PID 2976 wrote to memory of 2828	2976	cmd.exe	mode.com
PID 2976 wrote to memory of 2828	2976	cmd.exe	mode.com
PID 2976 wrote to memory of 2828	2976	cmd.exe	mode.com
PID 2976 wrote to memory of 2796	2976	cmd.exe	vssadmin.exe
PID 2976 wrote to memory of 2796	2976	cmd.exe	vssadmin.exe
PID 2976 wrote to memory of 2796	2976	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-11_0197eb32a39518adbc118ec0559a395c_crysis_dharma.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2828

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2796

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:1880

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2468

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:3296

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:1264

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
PID:1532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-68DA4445.[aerossh@nerdmail.co].AeR
Filesize
4.3MB

MD5
e7427e30a257b203f98709bd8ade0658

SHA1
a5f3d1e96a7ddf709b3b9752c99beefcd436b94b

SHA256
0ec5cd8c7d2aa80a44a942b2dda5f10a28254e08dc867d9577a11ef86f9cd125

SHA512
cb6796f4f9e98f67778719bc5428704bb10300f35ac79a3a58a42f00e9f7f617866418ccbcb8f9bc5145de9795e57755f4545b45ec484f71b5e4700b2029e190

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
4KB

MD5
6866c872235e557d932fdee1e0184a02

SHA1
905ece293d7cab83e758b89ab3143fdf77532ae0

SHA256
5e72c55de7766b0566f7565537407a761cbd8e450edc3e70919c9b29469eb86e

SHA512
2c79ae4f71991518813ea6f2e61c39fc0da3359986c1482f29d79448e039b63d000205d4b028eb2dc48c23ef3a6732179a40a9959ac2fc416e05cbe58926383f

Download Submit
memory/1532-20254-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads