Overview

overview

10

Static

static

a911572197...30.exe

windows7_x64

10

a911572197...30.exe

windows10_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    26s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    08-05-2020 12:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a91157219713de5c5e716be9a4e8196e24a822cbb3367fb28887d9460bf90d30.exe

  • Size

    92KB

  • MD5

    8ebbfe0396d3442d9a5c61c9e81e95d3

  • SHA1

    7c649065f043dd8e4cc15823f77342561da18258

  • SHA256

    a91157219713de5c5e716be9a4e8196e24a822cbb3367fb28887d9460bf90d30

  • SHA512

    bbaf715a313d72f832e4a87268306c9a42a5e82065d1bab0282d94ceee93764c9fb419bc74f335baa014591db07b708813f3b19b738137b49c6a6550d89449ce

Score
10/10
ransomwaredharmapersistencespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\FILES ENCRYPTED.txt

Ransom Note
all your data has been locked us You want to return? write email neural.net@tuta.io or neural.net2@protonmail.com
Emails

neural.net@tuta.io

neural.net2@protonmail.com

Signatures

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Drops startup file 5 IoCs
  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Drops file in Program Files directory 27780 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 77 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 284 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a91157219713de5c5e716be9a4e8196e24a822cbb3367fb28887d9460bf90d30.exe
    "C:\Users\Admin\AppData\Local\Temp\a91157219713de5c5e716be9a4e8196e24a822cbb3367fb28887d9460bf90d30.exe"
    1⤵
    • Drops file in System32 directory
    • Drops startup file
    • Drops file in Program Files directory
    • Adds Run entry to start application
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
        PID:1832
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:304
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:556
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          2⤵
            PID:744
            • C:\Windows\system32\mode.com
              mode con cp select=1251
              3⤵
                PID:1428
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                3⤵
                • Interacts with shadow copies
                PID:1296
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Modifies service
            • Suspicious use of AdjustPrivilegeToken
            PID:572

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          2
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads