Resubmissions

24-04-2021 00:27

210424-3dpx7fvbns 10

24-04-2021 00:23

210424-ey6njt2snx 10

General

  • Target

    winhost.exe

  • Size

    92KB

  • Sample

    210424-ey6njt2snx

  • MD5

    1935185051c225c096396bffbd7b5a34

  • SHA1

    bc5891815b66d7adf44c9dbb56d7170d7304bdff

  • SHA256

    ea387065ba5b3f661d15cc0713a838c611afd1052925eb458dfcdb4ab893a1f6

  • SHA512

    564ad1f26b83d76cd34cf35c0bbf988f635d89ad97f103a68bae576cd155415495ce069ef8451b04710448afb1855f7aff60cfb22b51e334b3c2426e661f193d

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
!!!YOUR FILES ARE ENCRYPTED!!! 1100110 1101001 1101100 1100101 Don't worry,you can return all your files! If you want to restore them, write to the mail: bad_dev@tuta.io YOUR ID bad.dev@onionmail.org !ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

bad_dev@tuta.io

bad.dev@onionmail.org

Targets

    • Target

      winhost.exe

    • Size

      92KB

    • MD5

      1935185051c225c096396bffbd7b5a34

    • SHA1

      bc5891815b66d7adf44c9dbb56d7170d7304bdff

    • SHA256

      ea387065ba5b3f661d15cc0713a838c611afd1052925eb458dfcdb4ab893a1f6

    • SHA512

      564ad1f26b83d76cd34cf35c0bbf988f635d89ad97f103a68bae576cd155415495ce069ef8451b04710448afb1855f7aff60cfb22b51e334b3c2426e661f193d

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks