Analysis
-
max time kernel
150s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-09-2024 13:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ja.salivan.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
ja.salivan.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
ja.salivan.exe
-
Size
92KB
-
MD5
f25b8c72c61c734bbf4ee7cbffda3d48
-
SHA1
5b725dbebfd73c95067cc40c904dd981a5f1ce22
-
SHA256
ce371f9f9c2446ca5d84e5df4bd8562247c198310b81e577fa4afc2398795438
-
SHA512
e63183995e9e3950790266f71130fcabe3d4e9d7e270b1f72116323e16f31a6f51a4d96d268dbc1fdc3ad2375ad20e7dc0b1572a5a7bedb54209afc3dcb7d8d8
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4A5qERXCE5uodtYr2I41:Qw+asqN5aW/hLn9Ry6bC2f1
Malware Config
Extracted
Path
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Ransom Note
All your files have been encrypted!
Don't worry, you can return all your files!
If you want to restore them, write to the mail: [email protected] YOUR ID
[email protected]
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (321) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta ja.salivan.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ja.salivan.exe ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ja.salivan.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-45D95749.[[email protected]].ior ja.salivan.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ja.salivan.exe = "C:\\Windows\\System32\\ja.salivan.exe" ja.salivan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" ja.salivan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" ja.salivan.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ja.salivan.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini ja.salivan.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini ja.salivan.exe File opened for modification C:\Program Files\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OBDG6J46\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini ja.salivan.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI ja.salivan.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MX1BY2FD\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ja.salivan.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ja.salivan.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini ja.salivan.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini ja.salivan.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ja.salivan.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ja.salivan.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GRU3FPRK\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TL381H8Y\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ja.salivan.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ja.salivan.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini ja.salivan.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini ja.salivan.exe File opened for modification C:\Users\Public\Documents\desktop.ini ja.salivan.exe File opened for modification C:\Users\Public\desktop.ini ja.salivan.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini ja.salivan.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini ja.salivan.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Music\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YFS4OGJW\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Links\desktop.ini ja.salivan.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini ja.salivan.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ja.salivan.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini ja.salivan.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X9WSUL7T\desktop.ini ja.salivan.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini ja.salivan.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini ja.salivan.exe File opened for modification C:\Users\Public\Videos\desktop.ini ja.salivan.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini ja.salivan.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini ja.salivan.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ja.salivan.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini ja.salivan.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini ja.salivan.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYYHNCRR\desktop.ini ja.salivan.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ja.salivan.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\ja.salivan.exe ja.salivan.exe File created C:\Windows\System32\Info.hta ja.salivan.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\ACTIVITY.CFG.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\THMBNAIL.PNG.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Java\jre7\lib\psfontj2d.properties.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\sentinel ja.salivan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02252_.WMF ja.salivan.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png ja.salivan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\msitss55.dll.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18236_.WMF.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum ja.salivan.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01746_.GIF.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml ja.salivan.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00833_.WMF.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Java\jre7\bin\server\Xusage.txt ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\weblink.api.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationBuildTasks.resources.dll ja.salivan.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp ja.salivan.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Monrovia.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe ja.salivan.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00157_.WMF.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF ja.salivan.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui ja.salivan.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241773.WMF.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSTYLE.DLL.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\oisctrl.dll.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00726_.WMF ja.salivan.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\WT61FR.LEX ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg ja.salivan.exe File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00629_.WMF.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\HORN.WAV.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif ja.salivan.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\PersonalMonthlyBudget.xltx.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Conversion.v3.5.resources.dll ja.salivan.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0335112.WMF.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Program Files\Mozilla Firefox\install.log.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png ja.salivan.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_zh_4.4.0.v20140623020002.jar.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Program Files\Java\jre7\lib\zi\CST6CDT.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115856.GIF.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECS.ICO.id-45D95749.[[email protected]].ior ja.salivan.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Elegant.dotx.id-45D95749.[[email protected]].ior ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html ja.salivan.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Utilities.v3.5.dll ja.salivan.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF ja.salivan.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html ja.salivan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ja.salivan.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2692 vssadmin.exe 1032 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe 2252 ja.salivan.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1268 vssvc.exe Token: SeRestorePrivilege 1268 vssvc.exe Token: SeAuditPrivilege 1268 vssvc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2252 wrote to memory of 1160 2252 ja.salivan.exe 29 PID 2252 wrote to memory of 1160 2252 ja.salivan.exe 29 PID 2252 wrote to memory of 1160 2252 ja.salivan.exe 29 PID 2252 wrote to memory of 1160 2252 ja.salivan.exe 29 PID 1160 wrote to memory of 2712 1160 cmd.exe 31 PID 1160 wrote to memory of 2712 1160 cmd.exe 31 PID 1160 wrote to memory of 2712 1160 cmd.exe 31 PID 1160 wrote to memory of 2692 1160 cmd.exe 32 PID 1160 wrote to memory of 2692 1160 cmd.exe 32 PID 1160 wrote to memory of 2692 1160 cmd.exe 32 PID 2252 wrote to memory of 1188 2252 ja.salivan.exe 36 PID 2252 wrote to memory of 1188 2252 ja.salivan.exe 36 PID 2252 wrote to memory of 1188 2252 ja.salivan.exe 36 PID 2252 wrote to memory of 1188 2252 ja.salivan.exe 36 PID 1188 wrote to memory of 1640 1188 cmd.exe 38 PID 1188 wrote to memory of 1640 1188 cmd.exe 38 PID 1188 wrote to memory of 1640 1188 cmd.exe 38 PID 1188 wrote to memory of 1032 1188 cmd.exe 39 PID 1188 wrote to memory of 1032 1188 cmd.exe 39 PID 1188 wrote to memory of 1032 1188 cmd.exe 39 PID 2252 wrote to memory of 2860 2252 ja.salivan.exe 41 PID 2252 wrote to memory of 2860 2252 ja.salivan.exe 41 PID 2252 wrote to memory of 2860 2252 ja.salivan.exe 41 PID 2252 wrote to memory of 2860 2252 ja.salivan.exe 41 PID 2252 wrote to memory of 1288 2252 ja.salivan.exe 42 PID 2252 wrote to memory of 1288 2252 ja.salivan.exe 42 PID 2252 wrote to memory of 1288 2252 ja.salivan.exe 42 PID 2252 wrote to memory of 1288 2252 ja.salivan.exe 42 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ja.salivan.exe"C:\Users\Admin\AppData\Local\Temp\ja.salivan.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2712
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2692
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:1640
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1032
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
PID:2860
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
PID:1288
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\osetup.dll.id-45D95749.[[email protected]].ior
Filesize6.3MB
MD5c06f7af763ba1208f685ed4cf701fe3c
SHA1112c496ca51b8e88635ae4a73b0a1524fcee89d9
SHA2565d812528fc3353fa17fb3acf3782b4615e6856365222da0a6cbbb135039118db
SHA512df15078c72c94609ee08c4f46dc96968c0c30a8cc7ea073fe38719545d20df5f240eff591abc196871bc3637e1e2cddc44891722096aca5f0d4ab32cbd8eb16a
-
Filesize
4KB
MD5d2471ec82976d951c50b7065301279db
SHA178afab048dd14de8298ff91a26db4832c5a5766b
SHA256e3c4d4b73bf1ebdbc14e19d1b1bac6b4664e8ffd62ea51fe47200ba3aaad5b8b
SHA512a15ecafcf75229eb0b64ddb78afaa9f5981b5ceefd4e63cbebdb92a627c3dd3051aefd0f5f90fdfa72033a69c926cb9fb4d43d2d877db288fe3a9675874517a8