Analysis
-
max time kernel
150s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:45
General
-
Target
45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe
-
Size
236KB
-
MD5
09fd8604639fa6f0d6a0d2a844c82ce8
-
SHA1
504ca88eedfe15fb00ce39e0b2c0522b5e90a2ac
-
SHA256
45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686
-
SHA512
057985b4d27ffa8097dc0537fa2ad42d9d137d7ef69b1e753c1fa3a8f7c2f42903291e9ce6c40170443ffff90e8d9ffd5b73e96f1f6f5b311e316669474d1da2
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
3441546223@qq.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 77 IoCs
-
Drops file in System32 directory 2 IoCs
-
Modifies service 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 27839 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 165 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe"C:\Users\Admin\AppData\Local\Temp\45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe"C:/Users/Admin/AppData/Local/Temp/45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
cabaf2b8b14bc6c0f805914f881532cc
SHA13fca4bc265f5d8777dc1fc3da8690cbf82573e83
SHA25677a7e8e0187ce4f7506609c25914b241d767a5909b31a3dcfbae9e8a604d4ba3
SHA51276bcd6b9da363a6bbe690e17cc1d6b8d0b9d1655e07ee77eef4931ed96cdf8de97c373c50224fb12007f7f2e42a9e48c4e7d4a56b1c4b0a4b634303a039ed173
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
efe7f83fe680626f2c6485fe291d1946
SHA1e6660000842da2f5274f8798b1e2a5b6ae97ec40
SHA256f44f317169df398a253efd6c422a4008ec9957df06dbf2ebdd73113f8195d20d
SHA512ecc1966572cd200e2edc3cf03b1750a6ff8439d52375eab88f461e70ffd56b99b19200d2aa4b4b58f55b34ec07ca40ff25da571c33b8aa715b9384bad5bb56cd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
cabaf2b8b14bc6c0f805914f881532cc
SHA13fca4bc265f5d8777dc1fc3da8690cbf82573e83
SHA25677a7e8e0187ce4f7506609c25914b241d767a5909b31a3dcfbae9e8a604d4ba3
SHA51276bcd6b9da363a6bbe690e17cc1d6b8d0b9d1655e07ee77eef4931ed96cdf8de97c373c50224fb12007f7f2e42a9e48c4e7d4a56b1c4b0a4b634303a039ed173
-
memory/292-3-0x0000000000670000-0x000000000068B000-memory.dmpFilesize
108KB
-
memory/292-0-0x00000000748D0000-0x0000000074FBE000-memory.dmpFilesize
6.9MB
-
memory/292-1-0x0000000001380000-0x0000000001381000-memory.dmpFilesize
4KB
-
memory/328-8-0x0000000000000000-mapping.dmp
-
memory/680-34-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmpFilesize
64KB
-
memory/680-15-0x0000000000000000-mapping.dmp
-
memory/904-13-0x0000000000000000-mapping.dmp
-
memory/940-33-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmpFilesize
64KB
-
memory/940-14-0x0000000000000000-mapping.dmp
-
memory/960-12-0x0000000000000000-mapping.dmp
-
memory/1052-9-0x0000000000000000-mapping.dmp
-
memory/1348-6-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1348-4-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1348-5-0x000000000040A9D0-mapping.dmp
-
memory/1512-7-0x0000000000000000-mapping.dmp
-
memory/1992-18-0x000007FEF6580000-0x000007FEF67FA000-memory.dmpFilesize
2.5MB
-
memory/2028-11-0x0000000000000000-mapping.dmp