Overview
overview
10Static
static
100c3b09213f...3c.exe
windows7-x64
80dab0428b4...50.exe
windows7-x64
1014d09a259f...32.exe
windows7-x64
1016c49d6775...56.exe
windows7-x64
71d241bd0b7...f4.exe
windows7-x64
92.exe
windows7-x64
6287a6b75d1...ad.exe
windows7-x64
1035b0676421...82.exe
windows7-x64
1039deb2f02f...9f.exe
windows7-x64
84.exe
windows7-x64
74a0f399840...33.exe
windows7-x64
105.exe
windows7-x64
853bdaf567e...fc.exe
windows7-x64
76.exe
windows7-x64
5646677375b...36.exe
windows7-x64
96dfb9490b1...f8.exe
windows7-x64
67.exe
windows7-x64
1071a20e2700...db.exe
windows7-x64
3835b0ef8f5...35.exe
windows7-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows7-x64
3b15b78937c...ac.exe
windows7-x64
7$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows7-x64
3b3dc1bb1c7...1b.exe
windows7-x64
5b4e3091d31...81.exe
windows7-x64
10c1b35d3d70...c3.exe
windows7-x64
10caa5f52a78...78.exe
windows7-x64
10d2878de61f...0b.exe
windows7-x64
7dbadeff4af...30.exe
windows7-x64
10f5d893afc4...e9.exe
windows7-x64
9Analysis
-
max time kernel
136s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 13:09
Behavioral task
behavioral1
Sample
0c3b09213f642af5d6bca1708d167052f7fe198e5eced0e78584d8eb910b8d3c.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
0dab0428b414b0440288a12fbc20dab72339ef72ff5859e8c18d76dd8b169f50.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral3
Sample
14d09a259f72569f309fdd7bc14519753d01016706c7b9335a215b2d0b64c632.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral4
Sample
16c49d677559071b3fc71fb4bb1a3c85cdcf7c4c27454010f69bb0bd04b1c456.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral5
Sample
1d241bd0b71408abcf11871a9318cbfcd925b195814951c3123abca27554c6f4.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
2.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral7
Sample
287a6b75d1776f89502a1fd0ec571adebff878becb0ebdcec703e8fc6e3885ad.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral9
Sample
39deb2f02fee04a430cff446b35b0984a66b563552775eb1309d35acca3a209f.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
4.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral11
Sample
4a0f399840bb73f3b70d4461ec1a37cffcb3e4789c876042d133ed903c5d9333.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
5.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral13
Sample
53bdaf567e302201ef06847d8914477e9a3852fc57d8e50606eab6bcdbdda8fc.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral14
Sample
6.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral15
Sample
646677375bc0ecaad279751d8d09220d5d44e20570548f8475f36803affda636.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
6dfb9490b10f90cfb5c0b7f2db24bc0eb3924664540ac24d5a1b32a4614078f8.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral17
Sample
7.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
71a20e270052665d18bc0fe4d1f9608e51f4fd427442e7abc3e5d43c4e987bdb.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral19
Sample
835b0ef8f5cfdc2ca8c0d3deccbafc48604e4a5356f0104cedfdfa20b20c2735.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
b15b78937cd33dfaedef28385b293c92b999f37b2a97d01d516f6189a6afefac.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
b3dc1bb1c72c6bda1a7508147b2c92021aa18eb99d419db7e8245f32979cd01b.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral27
Sample
b4e3091d3119268dfc8ac3caf2d5d02fd4faa360f822a87b50110b805e465181.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
c1b35d3d70c59a66a35ab7e4981ee3459571af1e43997a334bac1c073485fec3.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral29
Sample
caa5f52a7811c49ae830606f01fd70d846fe53e9858603886f504e984fb2bc78.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
d2878de61ff17b2ae8cd556a6935af332955f07acf1991ab30ddeba9a5ced20b.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral31
Sample
dbadeff4af3fa7785d54d177db9608f24d405971cf642ca0759a203d9e895930.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
f5d893afc4ad2e98606b597df186657b57f3d1e3a5abe51f800de6086aab84e9.exe
Resource
win7-20240903-en
windows7-x64
General
-
Target
7.exe
-
Size
397KB
-
MD5
60c40af102c485d0464236fe672d302b
-
SHA1
d4a5a0dae3fb0274c48828e84ff8f960c7463406
-
SHA256
287a6b75d1776f89502a1fd0ec571adebff878becb0ebdcec703e8fc6e3885ad
-
SHA512
4d22a012d1da6878e3a1f0a726a303084e1f775281f7518bf6712eb80b8fbbf5ef4c659a4be5d8e53ad9c2e0005ec8a3454491dcae4c517f4db7a81fcbad0dac
-
SSDEEP
6144:34OusAhTGvRi52AHAio3Ez2Ual3kYqUXK19KfFxmrAEkmB0aiA5:IOk8Q52qAio3ECXQfMfForBku0aiY
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (322) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
Processes:
7.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-5642763B.[[email protected]].combo 7.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta 7.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7.exe 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 7.exe -
Loads dropped DLL 2 IoCs
Processes:
taskmgr.exepid Process 1112 taskmgr.exe 1112 taskmgr.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
7.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7.exe = "C:\\Windows\\System32\\7.exe" 7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" 7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" 7.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
7.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QMPQWRBT\desktop.ini 7.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 7.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 7.exe File opened for modification C:\Program Files\desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 7.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 7.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 7.exe File opened for modification C:\Users\Public\Pictures\desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AQYH36ZT\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini 7.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 7.exe File opened for modification C:\Users\Public\Desktop\desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini 7.exe File opened for modification C:\Users\Public\Downloads\desktop.ini 7.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini 7.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini 7.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 7.exe File opened for modification C:\Users\Public\Libraries\desktop.ini 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BY17T927\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 7.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 7.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini 7.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 7.exe File opened for modification C:\Users\Admin\Music\desktop.ini 7.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini 7.exe File opened for modification C:\Users\Admin\Links\desktop.ini 7.exe File opened for modification C:\Users\Public\desktop.ini 7.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\39RANI6K\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 7.exe File opened for modification C:\Users\Public\Documents\desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini 7.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 7.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini 7.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini 7.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini 7.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini 7.exe File opened for modification C:\Users\Public\Music\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1DP8V76\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGWF8QWZ\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini 7.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 7.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U3EGUGI8\desktop.ini 7.exe -
Drops file in System32 directory 2 IoCs
Processes:
7.exedescription ioc Process File created C:\Windows\System32\7.exe 7.exe File created C:\Windows\System32\Info.hta 7.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7.exedescription ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox 7.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM 7.exe File opened for modification C:\Program Files\MeasureOut.MTS.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WHIRL2.WMF 7.exe File opened for modification C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3B.BDR.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files\7-Zip\Lang\ps.txt.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png 7.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar 7.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp 7.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_ja_4.4.0.v20140623020002.jar.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-applemenu_ja.jar 7.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\7-Zip\7-zip32.dll.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196354.WMF.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kathmandu 7.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03257_.WMF.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Premium.gif.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBARBLL.XML 7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Monticello.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Easter.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files\Java\jre7\lib\zi\PST8PDT.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ar.dll 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_K_COL.HXK 7.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png 7.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\THMBNAIL.PNG 7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.smil_1.0.0.v200806040011.jar 7.exe File created C:\Program Files\Mozilla Firefox\mozglue.dll.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02265_.WMF 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15132_.GIF 7.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png 7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QUIKPUBS.POC.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui 7.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\currency.css 7.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107722.WMF.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM 7.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143754.GIF.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png 7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota 7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar 7.exe File created C:\Program Files\Microsoft Games\Hearts\de-DE\Hearts.exe.mui.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac 7.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml 7.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE06450_.WMF.id-5642763B.[[email protected]].combo 7.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF.id-5642763B.[[email protected]].combo 7.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif.id-5642763B.[[email protected]].combo 7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 2132 vssadmin.exe 2528 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7.exetaskmgr.exepid Process 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe 1984 7.exe 1984 7.exe 1112 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid Process 1112 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
vssvc.exetaskmgr.exedescription pid Process Token: SeBackupPrivilege 1044 vssvc.exe Token: SeRestorePrivilege 1044 vssvc.exe Token: SeAuditPrivilege 1044 vssvc.exe Token: SeDebugPrivilege 1112 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid Process 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid Process 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe 1112 taskmgr.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
7.execmd.execmd.exedescription pid Process procid_target PID 1984 wrote to memory of 2944 1984 7.exe 31 PID 1984 wrote to memory of 2944 1984 7.exe 31 PID 1984 wrote to memory of 2944 1984 7.exe 31 PID 1984 wrote to memory of 2944 1984 7.exe 31 PID 2944 wrote to memory of 2164 2944 cmd.exe 33 PID 2944 wrote to memory of 2164 2944 cmd.exe 33 PID 2944 wrote to memory of 2164 2944 cmd.exe 33 PID 2944 wrote to memory of 2132 2944 cmd.exe 34 PID 2944 wrote to memory of 2132 2944 cmd.exe 34 PID 2944 wrote to memory of 2132 2944 cmd.exe 34 PID 1984 wrote to memory of 1556 1984 7.exe 39 PID 1984 wrote to memory of 1556 1984 7.exe 39 PID 1984 wrote to memory of 1556 1984 7.exe 39 PID 1984 wrote to memory of 1556 1984 7.exe 39 PID 1556 wrote to memory of 1732 1556 cmd.exe 41 PID 1556 wrote to memory of 1732 1556 cmd.exe 41 PID 1556 wrote to memory of 1732 1556 cmd.exe 41 PID 1556 wrote to memory of 2528 1556 cmd.exe 42 PID 1556 wrote to memory of 2528 1556 cmd.exe 42 PID 1556 wrote to memory of 2528 1556 cmd.exe 42 PID 1984 wrote to memory of 752 1984 7.exe 43 PID 1984 wrote to memory of 752 1984 7.exe 43 PID 1984 wrote to memory of 752 1984 7.exe 43 PID 1984 wrote to memory of 752 1984 7.exe 43 PID 1984 wrote to memory of 200 1984 7.exe 44 PID 1984 wrote to memory of 200 1984 7.exe 44 PID 1984 wrote to memory of 200 1984 7.exe 44 PID 1984 wrote to memory of 200 1984 7.exe 44 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2164
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2132
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:1732
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2528
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
PID:752
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
PID:200
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1112
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-5642763B.[[email protected]].combo
Filesize23.5MB
MD5f744727a7adf9e271a3ac1b7dc8650c3
SHA13fe4646604fbe233da1ed7d5904632173765345e
SHA256971a9f872ffd2959a9cde34f856101e907ce6ddd7ccf0f7dc56ad4d95f90105b
SHA512be057ad497c8fef25a9b3bb4dda8cc0662a7da330663eae76873352dd1f5d366b6d6e1267cf7dbad25006ad5a52a731255020b89cecd2cfba841b81a11505d3d
-
Filesize
13KB
MD504e2cbb9423c42dd77cfd614c4a36807
SHA18b6563ae67415b613703bbda83e77473cb82392f
SHA256b6c846fa3267cedcd88b4fd97b1b9d88d3f86c24cc17cc6330030e5263ce35f9
SHA512ed3d82b89dc4e5dac37d83bd50f5158170eb60f0feec2f79e8c8e1a2e7528fd67e32798b355635bef76d850594ab31977bf9c6657d43719441b5c663623e2b63
-
Filesize
4.7MB
MD561bffb5f57ad12f83ab64b7181829b34
SHA1945d94fef51e0db76c2fd95ee22ed2767be0fe0b
SHA2561dd0dd35e4158f95765ee6639f217df03a0a19e624e020dba609268c08a13846
SHA512e569639d3bb81a7b3bd46484ff4b8065d7fd15df416602d825443b2b17d8c0c59500fb6516118e7a65ea9fdd9e4be238f0319577fa44c114eaca18b0334ba521