Overview

overview

10

Static

static

227d13f9a1...e3.exe

windows7_x64

10

227d13f9a1...e3.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe

  • Size

    245KB

  • MD5

    dca247cda2f20152feb8cf6b410fc093

  • SHA1

    c7f9176ed2615364fb02d454918425814d52d4bf

  • SHA256

    227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3

  • SHA512

    91f2b08c409110f74c0a42f3df1f7920a539d2081704878ae573e9111b5f8cc4694611c8d541fc9f1bf913847ca94ef487f8f1333a34507bb3c3cd9fe7623760

Score
10/10
dharmapersistenceransomwarespyware

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail 3441546223@qq.com Write this ID in the title of your message 5BBE3585 In case of no answer in 24 hours write us to theese e-mails: 3441546223@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

3441546223@qq.com

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 77 IoCs
  • Drops file in System32 directory 2 IoCs
  • Modifies service 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 27805 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 166 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe
    "C:\Users\Admin\AppData\Local\Temp\227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:484
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Executes dropped EXE
      • Modifies extensions of user files
      • Deletes itself
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          4⤵
            PID:1876
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:340
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1944
          • C:\Windows\system32\mode.com
            mode con cp select=1251
            4⤵
              PID:964
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:948
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            3⤵
            • Modifies Internet Explorer settings
            PID:1384
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            3⤵
            • Modifies Internet Explorer settings
            PID:1116
        • C:\Users\Admin\AppData\Local\Temp\227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe
          "C:/Users/Admin/AppData/Local/Temp/227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3.exe"
          2⤵
            PID:1356
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Modifies service
          • Suspicious use of AdjustPrivilegeToken
          PID:584

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Modify Existing Service

        1
        T1031

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        3
        T1112

        Credential Access

        Credentials in Files

        1
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        2
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
          MD5

          ad91850e2cbb7ec53bf54d20e91f2a79

          SHA1

          f6fb46333a4b8f15b50102facd04f721b9524527

          SHA256

          a46ac7ab40b3b74129e9c8b579923996d92cd22a97c428691a8f239cbed25a70

          SHA512

          5a37159d81f25f6e5daf0fa8ab3f8261f09fc26274e1ab116f29d93aad2fb9e4a6c29682c6d95f9927fad5b4e972e63f45284ddb26e435fb2df21174e27c74a4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          MD5

          3dc997b75986d0aa933a2e27455b4530

          SHA1

          b8f49e05a51b6a35da4d7f28c908102f5da5e9b2

          SHA256

          1c75630faa86f75449df605d2878d0e344c905dbcf01f1e4c65a3f52d32901c5

          SHA512

          84a3cb83204ee908e0ec5eb695b95375662a41b6ef1de9bafb220934a7aaedd353f2d2156edad205b128db8c6fdcbee636e13afb7a8d49aa46762a958d067818

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp.exe
          MD5

          c491e17a0ad8a5d2a36151ace5f10cef

          SHA1

          0012f5c4d189cd009db0d5ee9e398470185d5e44

          SHA256

          1c2e66bac96bcc34b1681496ddc1d5f3cbeeeb726f0eef1f36323e25a0284871

          SHA512

          245f59f50540e2550a2fde2a7ba17f4b1cac9afcc10c4fb7b0b3758c0dd78fe937f623f3a2399d66ce2e2b796b96a7f20bd544cc24e01b72d5116ee2d2fd6bb5

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp.exe
          MD5

          c491e17a0ad8a5d2a36151ace5f10cef

          SHA1

          0012f5c4d189cd009db0d5ee9e398470185d5e44

          SHA256

          1c2e66bac96bcc34b1681496ddc1d5f3cbeeeb726f0eef1f36323e25a0284871

          SHA512

          245f59f50540e2550a2fde2a7ba17f4b1cac9afcc10c4fb7b0b3758c0dd78fe937f623f3a2399d66ce2e2b796b96a7f20bd544cc24e01b72d5116ee2d2fd6bb5

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
          MD5

          ad91850e2cbb7ec53bf54d20e91f2a79

          SHA1

          f6fb46333a4b8f15b50102facd04f721b9524527

          SHA256

          a46ac7ab40b3b74129e9c8b579923996d92cd22a97c428691a8f239cbed25a70

          SHA512

          5a37159d81f25f6e5daf0fa8ab3f8261f09fc26274e1ab116f29d93aad2fb9e4a6c29682c6d95f9927fad5b4e972e63f45284ddb26e435fb2df21174e27c74a4

          Download Submit
        • \Users\Admin\AppData\Local\Temp\tmp.exe
          MD5

          c491e17a0ad8a5d2a36151ace5f10cef

          SHA1

          0012f5c4d189cd009db0d5ee9e398470185d5e44

          SHA256

          1c2e66bac96bcc34b1681496ddc1d5f3cbeeeb726f0eef1f36323e25a0284871

          SHA512

          245f59f50540e2550a2fde2a7ba17f4b1cac9afcc10c4fb7b0b3758c0dd78fe937f623f3a2399d66ce2e2b796b96a7f20bd544cc24e01b72d5116ee2d2fd6bb5

          Download Submit
        • \Users\Admin\AppData\Local\Temp\tmp.exe
          MD5

          c491e17a0ad8a5d2a36151ace5f10cef

          SHA1

          0012f5c4d189cd009db0d5ee9e398470185d5e44

          SHA256

          1c2e66bac96bcc34b1681496ddc1d5f3cbeeeb726f0eef1f36323e25a0284871

          SHA512

          245f59f50540e2550a2fde2a7ba17f4b1cac9afcc10c4fb7b0b3758c0dd78fe937f623f3a2399d66ce2e2b796b96a7f20bd544cc24e01b72d5116ee2d2fd6bb5

          Download Submit
        • memory/340-11-0x0000000000000000-mapping.dmp
          Download
        • memory/484-0-0x00000000747A0000-0x0000000074E8E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/484-3-0x0000000000300000-0x000000000031B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/484-1-0x0000000000890000-0x0000000000891000-memory.dmp
          Filesize

          4KB

          Download
        • memory/588-23-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/948-18-0x0000000000000000-mapping.dmp
          Download
        • memory/964-17-0x0000000000000000-mapping.dmp
          Download
        • memory/1116-20-0x0000000000000000-mapping.dmp
          Download
        • memory/1288-6-0x0000000000000000-mapping.dmp
          Download
        • memory/1356-12-0x0000000000400000-0x0000000000419000-memory.dmp
          Filesize

          100KB

          Download
        • memory/1356-14-0x0000000000400000-0x0000000000419000-memory.dmp
          Filesize

          100KB

          Download
        • memory/1356-13-0x000000000040A9D0-mapping.dmp
          Download
        • memory/1384-19-0x0000000000000000-mapping.dmp
          Download
        • memory/1384-31-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1676-9-0x0000000000000000-mapping.dmp
          Download
        • memory/1876-10-0x0000000000000000-mapping.dmp
          Download
        • memory/1944-16-0x0000000000000000-mapping.dmp
          Download