dharma | 0fffd49f114e859b8609a8ea234340d76286e4a8d9741ffb3e42010a6d56c368

General

Target

575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
Size

92KB
MD5

029b9543eedadb6b07be801f6813dbaa
SHA1

f83b6342fb36b3b183aefd7755f29edc45915aa9
SHA256

575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4
SHA512

0a84a5d688a3972150f57093c7acdfb4e2195d56832114d45023b626498966bb2fe813c05de39463db75016bf461017a082ea8a317ada9bcbb2b7f13699ef6de
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4A6+bBqsG/HKF5K/bDAWtppZSS:Qw+asqN5aW/hL7A6KjsopZN

Score

10^/10

dharma persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note

All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL offtitan@protonmail.com IN THE LETTER WRITE YOUR ID, YOUR ID D01450D7 IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: offtitan@cock.li YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

offtitan@protonmail.com

offtitan@cock.li

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 5 IoCs

Processes:

575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe = "C:\\Windows\\System32\\575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe"	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1MQ01HTG\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FA862KXF\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P1KETFJO\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F5ZW0CRZ\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IF692Q5Y\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P56GQFE8\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

Drops file in System32 directory 2 IoCs

Processes:

575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

description	ioc	process
File created	C:\Windows\System32\575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Windows\System32\Info.hta	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

Drops file in Program Files directory 64 IoCs

Processes:

575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OSPP.HTM	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBEMAIL.POC	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Maputo	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ACEDAO.DLL.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04117_.WMF	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\STINTL.DLL	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-8.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01304G.GIF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251925.WMF	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01572_.WMF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Monaco.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR14F.GIF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\XLMACRO.CHM.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLJRNL.FAE.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\PhotoBase.dll	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEM.CFG.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BORDERBB.POC	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102002.WMF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_F_COL.HXK.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemux_chromecast_plugin.dll.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00482_.WMF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285360.WMF	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL093.XML.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\wsdetect.dll	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSCONFIG.CHM.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\Accra.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\RSSFeeds.css	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01238_.GIF.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15275_.GIF	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif.id-D01450D7.[offtitan@protonmail.com].bat	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2736 vssadmin.exe
1816 vssadmin.exe

pid	process
2736	vssadmin.exe
1816	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

pid	process
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2712 vssvc.exe
Token: SeRestorePrivilege 2712 vssvc.exe
Token: SeAuditPrivilege 2712 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.execmd.execmd.exe

description	pid	process	target process
PID 2488 wrote to memory of 2212	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	cmd.exe
PID 2488 wrote to memory of 2212	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	cmd.exe
PID 2488 wrote to memory of 2212	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	cmd.exe
PID 2488 wrote to memory of 2212	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	cmd.exe
PID 2212 wrote to memory of 2548	2212	cmd.exe	mode.com
PID 2212 wrote to memory of 2548	2212	cmd.exe	mode.com
PID 2212 wrote to memory of 2548	2212	cmd.exe	mode.com
PID 2212 wrote to memory of 2736	2212	cmd.exe	vssadmin.exe
PID 2212 wrote to memory of 2736	2212	cmd.exe	vssadmin.exe
PID 2212 wrote to memory of 2736	2212	cmd.exe	vssadmin.exe
PID 2488 wrote to memory of 3548	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	cmd.exe
PID 2488 wrote to memory of 3548	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	cmd.exe
PID 2488 wrote to memory of 3548	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	cmd.exe
PID 2488 wrote to memory of 3548	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	cmd.exe
PID 3548 wrote to memory of 4392	3548	cmd.exe	mode.com
PID 3548 wrote to memory of 4392	3548	cmd.exe	mode.com
PID 3548 wrote to memory of 4392	3548	cmd.exe	mode.com
PID 3548 wrote to memory of 1816	3548	cmd.exe	vssadmin.exe
PID 3548 wrote to memory of 1816	3548	cmd.exe	vssadmin.exe
PID 3548 wrote to memory of 1816	3548	cmd.exe	vssadmin.exe
PID 2488 wrote to memory of 1496	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	mshta.exe
PID 2488 wrote to memory of 1496	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	mshta.exe
PID 2488 wrote to memory of 1496	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	mshta.exe
PID 2488 wrote to memory of 1496	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	mshta.exe
PID 2488 wrote to memory of 2328	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	mshta.exe
PID 2488 wrote to memory of 2328	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	mshta.exe
PID 2488 wrote to memory of 2328	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	mshta.exe
PID 2488 wrote to memory of 2328	2488	575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe	mshta.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe
"C:\Users\Admin\AppData\Local\Temp\575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:2548

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2736

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\mode.com
mode con cp select=1251
3⤵
PID:4392

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1816

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:1496

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id-D01450D7.[offtitan@protonmail.com].bat
Filesize
143.1MB

MD5
27fb29aeb86e1af6b26ac93c932704eb

SHA1
3e5bbec68cae4f97fda2694cd73fbdd18d1bd0e5

SHA256
3fa6e6ec72805a309e2d8e6a7c86e93c2bf7ad0183e7f7d8ae57be281781fe34

SHA512
42265dca7781979c878b5219cf08ccc86dd4a7bf3d29391a6ae57b781f535b258788a6c17653bf68fe8ce9029394f39a825f6b9d098e2f37c57cd0952cbf3049

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Filesize
13KB

MD5
d4384c2e8929d970f573719d8f7c1376

SHA1
4247ed492b5b047371992e2f19f4d407b72dea0a

SHA256
c8c2d1bca9d6a74cdb80e4b3b56f07ef0f6bfa2e8fd43c828d3694093aa0eeea

SHA512
5e3d50bde6a1542f5f1c081e4f332b8d512f595f935d5c0d47020ddf23737e58c18563e6191bcb573f3a2ebbf3771a181b06a0152d51608553aa5bf05f9cfc05

Download Submit
memory/1496-20253-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads