dharma | 7ecb2207b8e9e3e95700c1a0e8616995a07aecc3437d53705ba9dc6bf7ca18e0

Resubmissions

21-02-2025 03:49

250221-edf98asnbq 10

21-02-2025 02:16

250221-cp8shazpdv 10

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-02-2025 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payload.exe
Size

92KB
MD5

e7290701c6f837d655e00f5df6ca4b40
SHA1

1b2ed5c4871d08ebc8a62495fb5c8dd4c897e2d1
SHA256

7ecb2207b8e9e3e95700c1a0e8616995a07aecc3437d53705ba9dc6bf7ca18e0
SHA512

5c007fe1be37226178ecb98f2a461b84cfbd7dcb39b1e8ddb6db87258ad6140a73049235d0520ec3218cc9674ac365b8f04761968189213b0402befe595650fa
SSDEEP

1536:mBwl+KXpsqN5vlwWYyhY9S4AYhAnjumqSah8RHpmxQE71lLNKs71v+Jj:Qw+asqN5aW/hLmhq6h8RHoeEx+

Score

10^/10

dharma credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Dharma family
dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (321) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.exe	payload.exe

Loads dropped DLL 8 IoCs

pid	Process
4056	MsiExec.exe
4056	MsiExec.exe
4056	MsiExec.exe
4056	MsiExec.exe
4056	MsiExec.exe
4056	MsiExec.exe
4056	MsiExec.exe
1416	MsiExec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\payload.exe = "C:\\Windows\\System32\\payload.exe"	payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	payload.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini	payload.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	payload.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3K0NZPWJ\desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	payload.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	payload.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	payload.exe
File opened for modification	C:\Program Files\desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	payload.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\386UAANV\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	payload.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	payload.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	payload.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	payload.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	payload.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	payload.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	payload.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	payload.exe
File opened for modification	C:\Users\Public\desktop.ini	payload.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	payload.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	payload.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	payload.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini	payload.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	payload.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	payload.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	payload.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	payload.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\payload.exe	payload.exe
File created	C:\Windows\System32\Info.hta	payload.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\DataSet.zip.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tarawa	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107496.WMF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\visualization\libvisual_plugin.dll	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar	payload.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Niue	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLAPPTR.FAE	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLWVW.DLL.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0158007.WMF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png	payload.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OFFLINE.ICO.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\Microsoft.Build.Engine.resources.dll	payload.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\Microsoft.VisualStudio.Tools.Applications.Blueprints.tlb.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43F.GIF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml	payload.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll	payload.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\Keywords.HxK.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN086.XML.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	payload.exe
File opened for modification	C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02022_.WMF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.Infopath.dll.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	payload.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304853.WMF	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0205582.WMF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\4.png	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099180.WMF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF	payload.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt	payload.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_zh_CN.properties.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01838_.GIF	payload.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\install.ins.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01039_.WMF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgzm.exe.mui.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0211981.WMF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02088_.WMF	payload.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	payload.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143746.GIF.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_F_COL.HXK.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\XOCR3.PSP.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tabs.accdt	payload.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	payload.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXC.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.id-D8EE9149.[[email protected]].SCRT	payload.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.id-D8EE9149.[[email protected]].SCRT	payload.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe	payload.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.ELM.id-D8EE9149.[[email protected]].SCRT	payload.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI86B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF14.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFEF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f770532.ipi	msiexec.exe
File created	C:\Windows\Installer\f77052f.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\f77052f.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI908.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC53.tmp	msiexec.exe
File created	C:\Windows\Installer\f770532.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEF4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI134A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59C.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1856	vssadmin.exe
3628	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb open \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\edit	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command\ = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLED.EXE\" /verb edit \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ = "\"%1\""	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\xmlfile\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler\ = "{AB968F1E-E20B-403A-9EB8-72EB0EB6797E}"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2232	NOTEPAD.EXE
1104	NOTEPAD.EXE
3184	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
1880	msiexec.exe
1880	msiexec.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe
2016	payload.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeBackupPrivilege	580	vssvc.exe
Token: SeRestorePrivilege	580	vssvc.exe
Token: SeAuditPrivilege	580	vssvc.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeSecurityPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe
Token: SeRestorePrivilege	1880	msiexec.exe
Token: SeTakeOwnershipPrivilege	1880	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2300	mshta.exe
3172	mshta.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1960	2016	payload.exe	30
PID 2016 wrote to memory of 1960	2016	payload.exe	30
PID 2016 wrote to memory of 1960	2016	payload.exe	30
PID 2016 wrote to memory of 1960	2016	payload.exe	30
PID 1960 wrote to memory of 2484	1960	cmd.exe	32
PID 1960 wrote to memory of 2484	1960	cmd.exe	32
PID 1960 wrote to memory of 2484	1960	cmd.exe	32
PID 1960 wrote to memory of 1856	1960	cmd.exe	33
PID 1960 wrote to memory of 1856	1960	cmd.exe	33
PID 1960 wrote to memory of 1856	1960	cmd.exe	33
PID 1880 wrote to memory of 4056	1880	msiexec.exe	39
PID 1880 wrote to memory of 4056	1880	msiexec.exe	39
PID 1880 wrote to memory of 4056	1880	msiexec.exe	39
PID 1880 wrote to memory of 4056	1880	msiexec.exe	39
PID 1880 wrote to memory of 4056	1880	msiexec.exe	39
PID 1880 wrote to memory of 4056	1880	msiexec.exe	39
PID 1880 wrote to memory of 4056	1880	msiexec.exe	39
PID 2016 wrote to memory of 3212	2016	payload.exe	40
PID 2016 wrote to memory of 3212	2016	payload.exe	40
PID 2016 wrote to memory of 3212	2016	payload.exe	40
PID 2016 wrote to memory of 3212	2016	payload.exe	40
PID 3212 wrote to memory of 2080	3212	cmd.exe	42
PID 3212 wrote to memory of 2080	3212	cmd.exe	42
PID 3212 wrote to memory of 2080	3212	cmd.exe	42
PID 3212 wrote to memory of 3628	3212	cmd.exe	43
PID 3212 wrote to memory of 3628	3212	cmd.exe	43
PID 3212 wrote to memory of 3628	3212	cmd.exe	43
PID 2016 wrote to memory of 2300	2016	payload.exe	44
PID 2016 wrote to memory of 2300	2016	payload.exe	44
PID 2016 wrote to memory of 2300	2016	payload.exe	44
PID 2016 wrote to memory of 2300	2016	payload.exe	44
PID 2016 wrote to memory of 3172	2016	payload.exe	45
PID 2016 wrote to memory of 3172	2016	payload.exe	45
PID 2016 wrote to memory of 3172	2016	payload.exe	45
PID 2016 wrote to memory of 3172	2016	payload.exe	45
PID 1880 wrote to memory of 1416	1880	msiexec.exe	46
PID 1880 wrote to memory of 1416	1880	msiexec.exe	46
PID 1880 wrote to memory of 1416	1880	msiexec.exe	46
PID 1880 wrote to memory of 1416	1880	msiexec.exe	46
PID 1880 wrote to memory of 1416	1880	msiexec.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\payload.exe
"C:\Users\Admin\AppData\Local\Temp\payload.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2484
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1856
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\system32\mode.com
    mode con cp select=1251
    3⤵
    PID:2080
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3628
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  PID:2300
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  PID:3172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57B65F52B2B1A85627C1FC1CD7A44D94
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4056
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 31A79D22D40385F5B72BDBDE81BB24DC
  2⤵
  - Loads dropped DLL
  PID:1416

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2232

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1104

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.id-D8EE9149.[[email protected]].SCRT

Filesize
24.4MB

MD5
f2ea71c4cbdc54623af55dd98b3307ec

SHA1
9b71b52b6ca2462e7311186fe5645c324b889eb5

SHA256
2191e8d6acf875f2b09782d8c68fbabba94f97ae6d5e06080cf71baf7ab9f9a6

SHA512
dac2480a302fac6eb8fb5285fa1045ee1d86172932147fcf8be5f47331c81c2ea1c3f0bab0a08e5c6886790569b3d388e11085dc278b336c110ecada9ac00ad5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Filesize
1KB

MD5
d4191628bbd4373fca1df8759d6fea5e

SHA1
74a397e264ef0c91dcccef618b015f8725a1c9a3

SHA256
88833e07c1f1c8acc419d5e7d8fa83ead8625be2e13f00ec1d3a58d3dad3d95a

SHA512
8d61e7756ca79d599c185fb16131561d319ce92a05ad202be9662ab2091709fc54f681d44f5319c4cbc39428c7205de4d49b35e66a213fb23593675f13d96e84

Download Submit
C:\Users\Admin\Desktop\info.txt

Filesize
152B

MD5
9b1b6b0e882a2a05872f3af5090067c2

SHA1
f07391cdf71e30a43d3833642bed47664087bdbc

SHA256
a4f247d8518669986919ee2b5389544340dce2fbc05b4a8ff04d835f90bdbb0b

SHA512
7d6db752efb6a0344767a2b2716c34f49209a274cd7e58b89123a81d4099bbdbfa1e23f4ff40d0803c457b19e4eb2522aaa138fc657434d0c4618005282b7731

Download Submit
C:\Windows\Installer\MSI134A.tmp

Filesize
86KB

MD5
ff58cd07bf4913ef899efd2dfb112553

SHA1
f14c1681de808543071602f17a6299f8b4ba2ae8

SHA256
1afafe9157ff5670bbec8ce622f45d1ce51b3ee77b7348d3a237e232f06c5391

SHA512
23e27444b6cdc17fe56f3a80d6325c2be61ae84213bc7cdaad7bb96daa7e8d2d3defc1b96c3cee4a3f32dc464b0e05720bcf1c0e99626bf83de1b6d5aac000a3

Download Submit
C:\Windows\Installer\MSI59C.tmp

Filesize
257KB

MD5
d1f5ce6b23351677e54a245f46a9f8d2

SHA1
0d5c6749401248284767f16df92b726e727718ca

SHA256
57cb8f01cf553c3886760180d1a74839f2f676640115504485aca9692f577acc

SHA512
960e90894e7bedcc89894e77e57e8ee0c99dd2c530d02665e8bbd3a1793eccc1e295c5923d1f37c757fa1158097fbaae70898c16052882d3d210c29ea801b3ba

Download Submit
C:\Windows\Installer\MSI86B.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\Windows\Installer\MSIEC4.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Installer\MSIF14.tmp

Filesize
148KB

MD5
33908aa43ac0aaabc06a58d51b1c2cca

SHA1
0a0d1ce3435abe2eed635481bac69e1999031291

SHA256
4447faacefaba8f040822101e2a4103031660de9139e70ecff9aa3a89455a783

SHA512
d5216a53df9cfbe1a78629c103286eb17042f639149c46b6a1cd76498531ae82afd265462fbe0ba9baaff275fc95c66504804f107c449f3fc5833b1ed9c3da46

Download Submit