Overview

overview

10

Static

static

winhost.exe

windows7_x64

10

winhost.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    winhost.exe

  • Size

    92KB

  • Sample

    220305-cpkexahgcr

  • MD5

    49973e9179195c665b4e55102ac13eb2

  • SHA1

    75bc5aac8dab68c12b770084a359526e1717c254

  • SHA256

    3056012d6cb364e7c4ef9989b73e3332b85647896a22ec4ac0637a618b1034f9

  • SHA512

    3876514133aba684b4f7b4c75a0c93c86394a8bbd35f5a7f25185e8a089de47a72a12f618342b05d0c8924c644f7128290e2189efbda359ab7937308d99892d7

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED 1024 Don't worry, you can return all your files! If you want to restore them, write to the mail: [email protected] YOUR ID [email protected] ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Targets

    • Target

      winhost.exe

    • Size

      92KB

    • MD5

      49973e9179195c665b4e55102ac13eb2

    • SHA1

      75bc5aac8dab68c12b770084a359526e1717c254

    • SHA256

      3056012d6cb364e7c4ef9989b73e3332b85647896a22ec4ac0637a618b1034f9

    • SHA512

      3876514133aba684b4f7b4c75a0c93c86394a8bbd35f5a7f25185e8a089de47a72a12f618342b05d0c8924c644f7128290e2189efbda359ab7937308d99892d7

    Score
    10/10
    dharmapersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Registers COM server for autorun

      persistence

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks