General

  • Target

    882e6507516a3546154ac27a57dff2ca544b7b1f97eeeff35a121a8b4a14b996.exe

  • Size

    92KB

  • Sample

    210424-dkqt472tfn

  • MD5

    b53c901068b57dcc17d4186de1b44a5c

  • SHA1

    ea29aa1d883b4a1c45f8b4f657bc7914776423e6

  • SHA256

    882e6507516a3546154ac27a57dff2ca544b7b1f97eeeff35a121a8b4a14b996

  • SHA512

    94635d518eca90ceb448b1cfabc7c1685786b4b731d4ec12913d415eac92285281a5a0b568938ecd41d1ec73199bf7c3344e1adc97e88212379f72649650c81c

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, write to the mail: hpjar@keemail.me YOUR ID hpjar@protonmail.ch !ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

hpjar@keemail.me

hpjar@protonmail.ch

Targets

    • Target

      882e6507516a3546154ac27a57dff2ca544b7b1f97eeeff35a121a8b4a14b996.exe

    • Size

      92KB

    • MD5

      b53c901068b57dcc17d4186de1b44a5c

    • SHA1

      ea29aa1d883b4a1c45f8b4f657bc7914776423e6

    • SHA256

      882e6507516a3546154ac27a57dff2ca544b7b1f97eeeff35a121a8b4a14b996

    • SHA512

      94635d518eca90ceb448b1cfabc7c1685786b4b731d4ec12913d415eac92285281a5a0b568938ecd41d1ec73199bf7c3344e1adc97e88212379f72649650c81c

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks