Overview

overview

10

Static

static

ransomware

windows7_x64

10

Analysis

  • max time kernel
    303s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    08-05-2020 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a91157219713de5c5e716be9a4e8196e24a822cbb3367fb28887d9460bf90d30.exe

  • Size

    92KB

  • MD5

    8ebbfe0396d3442d9a5c61c9e81e95d3

  • SHA1

    7c649065f043dd8e4cc15823f77342561da18258

  • SHA256

    a91157219713de5c5e716be9a4e8196e24a822cbb3367fb28887d9460bf90d30

  • SHA512

    bbaf715a313d72f832e4a87268306c9a42a5e82065d1bab0282d94ceee93764c9fb419bc74f335baa014591db07b708813f3b19b738137b49c6a6550d89449ce

Score
10/10
ransomwaredharmapersistencespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Ransom Note
all your data has been locked us You want to return? write email [email protected] or [email protected]

Signatures

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 580 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Drops desktop.ini file(s) 77 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Drops startup file 5 IoCs
  • Drops file in Program Files directory 27803 IoCs
  • Adds Run entry to start application 2 TTPs 3 IoCs
    persistence
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\a91157219713de5c5e716be9a4e8196e24a822cbb3367fb28887d9460bf90d30.exe
    "C:\Users\Admin\AppData\Local\Temp\a91157219713de5c5e716be9a4e8196e24a822cbb3367fb28887d9460bf90d30.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Drops desktop.ini file(s)
    • Suspicious use of WriteProcessMemory
    • Drops startup file
    • Drops file in Program Files directory
    • Adds Run entry to start application
    PID:1612
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
        PID:1376
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:368
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:864
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          2⤵
            PID:1104
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              3⤵
                PID:1484
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:1492
            • C:\Windows\System32\mshta.exe
              "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
              2⤵
              • Modifies Internet Explorer settings
              PID:1584
            • C:\Windows\System32\mshta.exe
              "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
              2⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              PID:2008
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Modifies service
            PID:1000
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
            1⤵
            • Suspicious use of FindShellTrayWindow
            PID:2032

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          3
          T1112

          File Deletion

          2
          T1107

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Download Submit
          • C:\Users\Public\Desktop\FILES ENCRYPTED.txt
            Download Submit
          • memory/1584-10-0x0000000005600000-0x0000000005623000-memory.dmp
            Filesize

            140KB

            Download
          • memory/1584-11-0x0000000005A00000-0x0000000005A0B000-memory.dmp
            Filesize

            44KB

            Download