Overview

overview

10

Static

static

dharma.exe

windows7_x64

10

dharma.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-07-2021 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dharma.exe

  • Size

    70KB

  • MD5

    d65c7db4797b4738e91d0a24444033a6

  • SHA1

    b524a9b5a3abebbc04c068897b69515e5a1f26ac

  • SHA256

    883162246c3d0a2c10e5c35a2a43ff444a24dbcf9e64dc5cc09009b9cd0ab48e

  • SHA512

    aee796aaea06081d45dc0495a736d697fb6bd3ed8f34ca2efb8fff6919311942db3aeb196c56276ae048a018c9c0827d66e319362e3402dfadd4558bfa2c88e3

Score
10/10
phobosevasionpersistenceransomware

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail maksimbockovskij315@gmail.com Write this ID in the title of your message AF029118-2218 In case of no answer in 24 hours write us to this e-mail: maksimbockovskij@tuta.io You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

maksimbockovskij315@gmail.com

maksimbockovskij@tuta.io

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dharma.exe
    "C:\Users\Admin\AppData\Local\Temp\dharma.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\dharma.exe
      "C:\Users\Admin\AppData\Local\Temp\dharma.exe"
      2⤵
        PID:1256
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1172
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:952
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:1376
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:648
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\system32\netsh.exe
          netsh advfirewall set currentprofile state off
          3⤵
            PID:768
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            3⤵
              PID:1144
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
            2⤵
            • Modifies Internet Explorer settings
            PID:1288
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
            2⤵
            • Modifies Internet Explorer settings
            PID:768
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
            2⤵
            • Modifies Internet Explorer settings
            PID:904
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:780
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              3⤵
              • Interacts with shadow copies
              PID:640
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1156
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:1556
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              3⤵
              • Modifies boot configuration data using bcdedit
              PID:1528
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1476

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        File Deletion

        2
        T1107

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Inhibit System Recovery

        3
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\info.hta
          MD5

          7a2da289e38061b7879a6f10656db940

          SHA1

          39976dfb674a1931a25728c71432cf7039c21f3e

          SHA256

          060c5768e0b00be91413ae8150143f7df2c73517deeccf56528a99bd4ea9a38d

          SHA512

          fe852fcbe6c91bc6122fb4cd92485e5ffb2d78a1929f787c612ede3f8301d90b2135b9ad4fc5d49bca09c59aad9e6cc4bf4d36b8d00e427e072828c5059e1245

          Download Submit
        • C:\info.hta
          MD5

          7a2da289e38061b7879a6f10656db940

          SHA1

          39976dfb674a1931a25728c71432cf7039c21f3e

          SHA256

          060c5768e0b00be91413ae8150143f7df2c73517deeccf56528a99bd4ea9a38d

          SHA512

          fe852fcbe6c91bc6122fb4cd92485e5ffb2d78a1929f787c612ede3f8301d90b2135b9ad4fc5d49bca09c59aad9e6cc4bf4d36b8d00e427e072828c5059e1245

          Download Submit
        • C:\users\public\desktop\info.hta
          MD5

          7a2da289e38061b7879a6f10656db940

          SHA1

          39976dfb674a1931a25728c71432cf7039c21f3e

          SHA256

          060c5768e0b00be91413ae8150143f7df2c73517deeccf56528a99bd4ea9a38d

          SHA512

          fe852fcbe6c91bc6122fb4cd92485e5ffb2d78a1929f787c612ede3f8301d90b2135b9ad4fc5d49bca09c59aad9e6cc4bf4d36b8d00e427e072828c5059e1245

          Download Submit
        • memory/640-76-0x0000000000000000-mapping.dmp
          Download
        • memory/648-71-0x0000000000000000-mapping.dmp
          Download
        • memory/768-64-0x0000000000000000-mapping.dmp
          Download
        • memory/768-66-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/768-73-0x0000000000000000-mapping.dmp
          Download
        • memory/780-75-0x0000000000000000-mapping.dmp
          Download
        • memory/904-74-0x0000000000000000-mapping.dmp
          Download
        • memory/952-69-0x0000000000000000-mapping.dmp
          Download
        • memory/1144-67-0x0000000000000000-mapping.dmp
          Download
        • memory/1156-77-0x0000000000000000-mapping.dmp
          Download
        • memory/1172-65-0x0000000000000000-mapping.dmp
          Download
        • memory/1288-72-0x0000000000000000-mapping.dmp
          Download
        • memory/1376-70-0x0000000000000000-mapping.dmp
          Download
        • memory/1528-83-0x0000000000000000-mapping.dmp
          Download
        • memory/1556-82-0x0000000000000000-mapping.dmp
          Download
        • memory/1624-63-0x0000000000000000-mapping.dmp
          Download
        • memory/1652-60-0x0000000076641000-0x0000000076643000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1656-62-0x0000000000000000-mapping.dmp
          Download