Overview

overview

10

Static

static

winload.exe

windows7_x64

10

winload.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    winload.exe

  • Size

    92KB

  • Sample

    211217-q56vqsdfh7

  • MD5

    ea5b39f4ae5947c5f8e1ac7611f850d2

  • SHA1

    f5351778c76ff4155f85473b73cfe0e4581a1131

  • SHA256

    b882013f2b66b391b1988e9d2bc5a0cd6357c2c942b30aad8fe1ea17ba46b94f

  • SHA512

    061d60e4072d73d6c7a8b0161e3d35861d61a06f1fea750a479e54ff151ee7ee1ef70fac9b9dc94c43f6b4300aba9fa2e47945eece0254a4911887758a855507

Score
10/10
dharmaxmrigminerpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED 1024 Don't worry, you can return all your files! If you want to restore them, write to the mail: [email protected] YOUR ID [email protected] ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      winload.exe

    • Size

      92KB

    • MD5

      ea5b39f4ae5947c5f8e1ac7611f850d2

    • SHA1

      f5351778c76ff4155f85473b73cfe0e4581a1131

    • SHA256

      b882013f2b66b391b1988e9d2bc5a0cd6357c2c942b30aad8fe1ea17ba46b94f

    • SHA512

      061d60e4072d73d6c7a8b0161e3d35861d61a06f1fea750a479e54ff151ee7ee1ef70fac9b9dc94c43f6b4300aba9fa2e47945eece0254a4911887758a855507

    Score
    10/10
    dharmapersistenceransomwarespywarestealerxmrigminer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks