Overview

overview

10

Static

static

1eca4383fb...f1.exe

windows7_x64

10

1eca4383fb...f1.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-04-2021 06:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1eca4383fb0c1d2e92b9a0ef1e939643a0fefdb37b4519e731030197c7091ff1.exe

  • Size

    92KB

  • MD5

    627c54e435c997f228937d70fa4efabe

  • SHA1

    de983ae81197370c1c0db019e47367ef0521163d

  • SHA256

    1eca4383fb0c1d2e92b9a0ef1e939643a0fefdb37b4519e731030197c7091ff1

  • SHA512

    c827d16c316ba46e5ed73018a73dc99c2e62a0c809aeb986027444a1d5d53e4c3fcb955152debc30bc69c82621eeb6ec454d6add17e5b2875cf3d25e325f0466

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email didoh@tutanota.com YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: enlist@criptext.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

didoh@tutanota.com

enlist@criptext.com

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1eca4383fb0c1d2e92b9a0ef1e939643a0fefdb37b4519e731030197c7091ff1.exe
    "C:\Users\Admin\AppData\Local\Temp\1eca4383fb0c1d2e92b9a0ef1e939643a0fefdb37b4519e731030197c7091ff1.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:3948
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2764
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:256
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:1772
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:3140
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:4044
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:3736
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:940

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            MD5

            ffd6df00b3f71743c11b7ac3714c878a

            SHA1

            0a9317a2336b2e2f82923cfd58428b894fb33883

            SHA256

            daad5a256da929ddf95c5632fef0d1f9dead692c397fdf301c8ad1c60760791d

            SHA512

            2485923881caaaeeebf9559316e39a6ae67e1fe47205294d95096cdb5f67372131a6444a879c616bdfdffc79f73289c9c34100973b9c71038d1519db611cc7b0

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            MD5

            ffd6df00b3f71743c11b7ac3714c878a

            SHA1

            0a9317a2336b2e2f82923cfd58428b894fb33883

            SHA256

            daad5a256da929ddf95c5632fef0d1f9dead692c397fdf301c8ad1c60760791d

            SHA512

            2485923881caaaeeebf9559316e39a6ae67e1fe47205294d95096cdb5f67372131a6444a879c616bdfdffc79f73289c9c34100973b9c71038d1519db611cc7b0

            Download Submit
          • memory/256-5-0x0000000000000000-mapping.dmp
            Download
          • memory/1480-2-0x0000000000000000-mapping.dmp
            Download
          • memory/1772-6-0x0000000000000000-mapping.dmp
            Download
          • memory/2764-4-0x0000000000000000-mapping.dmp
            Download
          • memory/3140-7-0x0000000000000000-mapping.dmp
            Download
          • memory/3736-9-0x0000000000000000-mapping.dmp
            Download
          • memory/3948-3-0x0000000000000000-mapping.dmp
            Download
          • memory/4044-8-0x0000000000000000-mapping.dmp
            Download