General

  • Target

    1.exe

  • Size

    92KB

  • Sample

    220118-qarsbsbcb4

  • MD5

    cc1ef1b52de2bd60cc72c49f425fe87a

  • SHA1

    479bfbf3b2a8f35a647cf7bd8060f3d917c5cb1e

  • SHA256

    7b9e8b0857e29bf1e1726c227a0648f77b3790f8cca973af3e720b44566f10aa

  • SHA512

    8f1e4897fd07c9716216dd41cbc43365ef3370ccf597ea3e6599a9341be0f0572c21d68d29b42814c1444ccfbe908e486bf52e112cdbca4ad08d9c7ab9864c43

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED 1024 Don't worry, you can return all your files! If you want to restore them, write to the mail: [email protected] YOUR ID [email protected] ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      1.exe

    • Size

      92KB

    • MD5

      cc1ef1b52de2bd60cc72c49f425fe87a

    • SHA1

      479bfbf3b2a8f35a647cf7bd8060f3d917c5cb1e

    • SHA256

      7b9e8b0857e29bf1e1726c227a0648f77b3790f8cca973af3e720b44566f10aa

    • SHA512

      8f1e4897fd07c9716216dd41cbc43365ef3370ccf597ea3e6599a9341be0f0572c21d68d29b42814c1444ccfbe908e486bf52e112cdbca4ad08d9c7ab9864c43

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks