Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:45
General
-
Target
45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe
-
Size
236KB
-
MD5
09fd8604639fa6f0d6a0d2a844c82ce8
-
SHA1
504ca88eedfe15fb00ce39e0b2c0522b5e90a2ac
-
SHA256
45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686
-
SHA512
057985b4d27ffa8097dc0537fa2ad42d9d137d7ef69b1e753c1fa3a8f7c2f42903291e9ce6c40170443ffff90e8d9ffd5b73e96f1f6f5b311e316669474d1da2
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
3441546223@qq.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 70 IoCs
-
Drops file in System32 directory 2 IoCs
-
Modifies service 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 35375 IoCs
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 373 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe"C:\Users\Admin\AppData\Local\Temp\45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe"C:/Users/Admin/AppData/Local/Temp/45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe"2⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
d6d790ce5cea2e54b34d283a1b73e244
SHA1ef9340aad951d77f8a7e217a1b9118561371d3ce
SHA25623fe1001f7e37b2372590b4306b83e77d976eb2ec1930b7c5c6b9c481a4cdddf
SHA512e028ee7e11018c9cf961edd643be799b80be95e3d3324a50cb6f091c2310a530436bcb89537b22b45e4f3d2bef3c02aaf7e315cfd357f641fd8f49d956db0468
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686.exe.logMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeMD5
fcb2de9b597d72e002ca26cdee1886af
SHA1eb00d1b115ddfd9d66fd040d0ca8b5953830dbc1
SHA256ee2b863ef43a3b712b256c7bffaffea16d3dddb447f3c6cfc6e98267e105d54f
SHA51238723340044ea62169101158dab0f2c82fa143368e902aa353ff12d4c549104cd2badcbab43aa310e46b9c7082d9f59b7a84105cfd6ee7f97799a7ea97421cc8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaMD5
d6d790ce5cea2e54b34d283a1b73e244
SHA1ef9340aad951d77f8a7e217a1b9118561371d3ce
SHA25623fe1001f7e37b2372590b4306b83e77d976eb2ec1930b7c5c6b9c481a4cdddf
SHA512e028ee7e11018c9cf961edd643be799b80be95e3d3324a50cb6f091c2310a530436bcb89537b22b45e4f3d2bef3c02aaf7e315cfd357f641fd8f49d956db0468
-
memory/644-1-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/644-3-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/644-4-0x0000000004CC0000-0x0000000004CDB000-memory.dmpFilesize
108KB
-
memory/644-0-0x0000000073DC0000-0x00000000744AE000-memory.dmpFilesize
6.9MB
-
memory/1212-16-0x0000000000000000-mapping.dmp
-
memory/1216-18-0x0000000000000000-mapping.dmp
-
memory/2088-13-0x0000000000000000-mapping.dmp
-
memory/2128-9-0x0000000000000000-mapping.dmp
-
memory/2268-7-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2268-6-0x000000000040A9D0-mapping.dmp
-
memory/2268-5-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2324-10-0x0000000000000000-mapping.dmp
-
memory/2444-14-0x0000000000000000-mapping.dmp
-
memory/2912-8-0x0000000000000000-mapping.dmp
-
memory/4036-15-0x0000000000000000-mapping.dmp