Analysis
-
max time kernel
1199s -
max time network
844s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
001.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
002.exe
Resource
win7-20241023-en
General
-
Target
001.exe
-
Size
626KB
-
MD5
cced409e95d6c2e44823381df3880d96
-
SHA1
724383fc11cca24495a5ee69737399520eb70483
-
SHA256
c435eb8911a3657f56dd5508c69f0c62120bd1af8d7a980ad840209c83828066
-
SHA512
42d1ddd7dbc7e1f8bd4aa639086eca6211e5cb0d2d2b309fe30e9f8ff687af8544c938ce019fbf690ea5b04f29e2802de0c5db7a9c493f4b9408ee638dd3ec33
-
SSDEEP
6144:U76K/3FjtoELNzbxL9ts4KxYbYToO3AOGq8aDZ8eGiCjFZ1efKHPQfbmg6F5frbs:U76K/3FvbftsebYTPMuZ1CfYfbmL3
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
3442516480@qq.com
1169309366@qq.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (311) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\001.exe 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 001.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta 001.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\001.exe = "C:\\Windows\\System32\\001.exe" 001.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" 001.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" 001.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini 001.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini 001.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini 001.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MT4W94IX\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 001.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 001.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 001.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 001.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini 001.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 001.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 001.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 001.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 001.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 001.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 001.exe File opened for modification C:\Users\Public\Videos\desktop.ini 001.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 001.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QMPQWRBT\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 001.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 001.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 001.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 001.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 001.exe File opened for modification C:\Users\Public\desktop.ini 001.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGWF8QWZ\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 001.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 001.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 001.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 001.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 001.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\39RANI6K\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 001.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 001.exe File opened for modification C:\Users\Public\Music\desktop.ini 001.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini 001.exe File opened for modification C:\Program Files (x86)\desktop.ini 001.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U3EGUGI8\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1DP8V76\desktop.ini 001.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 001.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 001.exe File opened for modification C:\Users\Admin\Links\desktop.ini 001.exe File opened for modification C:\Users\Admin\Music\desktop.ini 001.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 001.exe File opened for modification C:\Users\Public\Documents\desktop.ini 001.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 001.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 001.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 001.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 001.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini 001.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\001.exe 001.exe File created C:\Windows\System32\Info.hta 001.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2644 set thread context of 2820 2644 001.exe 30 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jre7\lib\zi\Australia\Lindeman.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files (x86)\Microsoft Office\Office14\msaccess.exe.manifest.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 001.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02071_.WMF.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\background.gif.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files\Java\jre7\lib\security\blacklist.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01293_.WMF.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_fr.dub.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\TWRECC.DLL.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSRTEDIT.DLL 001.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BDRTKFUL.POC.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac 001.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml 001.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar 001.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll 001.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PAPER_01.MID.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239057.WMF 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF 001.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSO.DLL.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WING2.WMF.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html 001.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar 001.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21348_.GIF.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR10F.GIF.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01242_.GIF.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo 001.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_dummy_plugin.dll 001.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png 001.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png 001.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Elemental.eftx.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN081.XML.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 001.exe File opened for modification C:\Program Files\Windows NT\TableTextService\fr-FR\TableTextService.dll.mui 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183168.WMF 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21448_.GIF 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_COL.HXC.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OWSSUPP.DLL 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU.XML.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui 001.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui 001.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187893.WMF.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\pkeyconfig.companion.dll 001.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos.id-328B9522.[3442516480@qq.com].pdf 001.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yekaterinburg.id-328B9522.[3442516480@qq.com].pdf 001.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\34.png 001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1824 vssadmin.exe 3832 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe 2820 001.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeBackupPrivilege 1900 vssvc.exe Token: SeRestorePrivilege 1900 vssvc.exe Token: SeAuditPrivilege 1900 vssvc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 408 mshta.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2644 001.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2820 2644 001.exe 30 PID 2644 wrote to memory of 2820 2644 001.exe 30 PID 2644 wrote to memory of 2820 2644 001.exe 30 PID 2644 wrote to memory of 2820 2644 001.exe 30 PID 2644 wrote to memory of 2820 2644 001.exe 30 PID 2820 wrote to memory of 2872 2820 001.exe 31 PID 2820 wrote to memory of 2872 2820 001.exe 31 PID 2820 wrote to memory of 2872 2820 001.exe 31 PID 2820 wrote to memory of 2872 2820 001.exe 31 PID 2872 wrote to memory of 2588 2872 cmd.exe 33 PID 2872 wrote to memory of 2588 2872 cmd.exe 33 PID 2872 wrote to memory of 2588 2872 cmd.exe 33 PID 2872 wrote to memory of 1824 2872 cmd.exe 34 PID 2872 wrote to memory of 1824 2872 cmd.exe 34 PID 2872 wrote to memory of 1824 2872 cmd.exe 34 PID 2820 wrote to memory of 1992 2820 001.exe 38 PID 2820 wrote to memory of 1992 2820 001.exe 38 PID 2820 wrote to memory of 1992 2820 001.exe 38 PID 2820 wrote to memory of 1992 2820 001.exe 38 PID 1992 wrote to memory of 3140 1992 cmd.exe 40 PID 1992 wrote to memory of 3140 1992 cmd.exe 40 PID 1992 wrote to memory of 3140 1992 cmd.exe 40 PID 1992 wrote to memory of 3832 1992 cmd.exe 41 PID 1992 wrote to memory of 3832 1992 cmd.exe 41 PID 1992 wrote to memory of 3832 1992 cmd.exe 41 PID 2820 wrote to memory of 408 2820 001.exe 42 PID 2820 wrote to memory of 408 2820 001.exe 42 PID 2820 wrote to memory of 408 2820 001.exe 42 PID 2820 wrote to memory of 408 2820 001.exe 42 PID 2820 wrote to memory of 2880 2820 001.exe 43 PID 2820 wrote to memory of 2880 2820 001.exe 43 PID 2820 wrote to memory of 2880 2820 001.exe 43 PID 2820 wrote to memory of 2880 2820 001.exe 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\001.exe"C:\Users\Admin\AppData\Local\Temp\001.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\001.exeC:\Users\Admin\AppData\Local\Temp\001.exe2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\mode.commode con cp select=12514⤵PID:2588
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1824
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\mode.commode con cp select=12514⤵PID:3140
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:3832
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
PID:408
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
PID:2880
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-328B9522.[3442516480@qq.com].pdf
Filesize23.5MB
MD571f8ddd36b1146b4a93836033cab3992
SHA13ab7904cb2d1aa712c387a8910325bb55c2d5a19
SHA2563422e9f317ea83f1f4df5bdad5bde6fb4c1e4dc3c27c50b9d3bc82f695298aec
SHA512c4be62af02e3d65b2cddd65edfd92229de9c200687acfbc06fb1715ba9b0c2b03bb3018a30012438a5cfa2e5e6dc11fbfad48b3a40fc599540cefa44ecc7ef83
-
Filesize
13KB
MD5ca56c4073ea614f2896523670a46b513
SHA161081f2c7e4d356579f4d1168e78ebae286e798d
SHA25682f1ca82ba89e239340725b8a010e7b3668c539f55f7ae9d24b21a82814961d6
SHA5127cef01ca84581df9689d5cd184c2f1a78fd2b25fcdd4dd915e15876f743230b5c34602a7d2c4c9547335c7f22bcb51a05341c0bd43787e6e29f65609aa620a1e