Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    05-03-2022 15:36

General

  • Target

    40a837f93edb2531fe35733d725efb490c7b5199d031a6e087b5041aed6eea05.exe

  • Size

    92KB

  • MD5

    2db20e2fcd86d00388915088b18f99f2

  • SHA1

    3a321bf3980d08fe5754548f5aba7f1bdc967f10

  • SHA256

    40a837f93edb2531fe35733d725efb490c7b5199d031a6e087b5041aed6eea05

  • SHA512

    b9c179e2b5b82fa59018194e8ee8bb927dfd545c72772de6c98621a071650efa345e9bee0282caac95ccccce1371e440295f61a981d447d5ef699fd81e3d1450

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40a837f93edb2531fe35733d725efb490c7b5199d031a6e087b5041aed6eea05.exe
    "C:\Users\Admin\AppData\Local\Temp\40a837f93edb2531fe35733d725efb490c7b5199d031a6e087b5041aed6eea05.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:3328
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3980
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2096
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:264
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:288
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:1768
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:460
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3752

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

            MD5

            7d149a45a7f82a70865e375d675a5b97

            SHA1

            6e9672d1a748a504b3e01a0c23b0a09fe9464cdf

            SHA256

            cb1fd7d214abcef727803dafc3d65c4dc070b60a04973cf742d4c2c15ae0937e

            SHA512

            3e834df2092b3285e20580f2e580302c2028e525cddd33a35941f2297c9ec0cde5f341f12d7abc5d8bb237ad5c6f85b6a02f3d746c63e7a4f94916f2c6fb4bcb

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

            MD5

            7d149a45a7f82a70865e375d675a5b97

            SHA1

            6e9672d1a748a504b3e01a0c23b0a09fe9464cdf

            SHA256

            cb1fd7d214abcef727803dafc3d65c4dc070b60a04973cf742d4c2c15ae0937e

            SHA512

            3e834df2092b3285e20580f2e580302c2028e525cddd33a35941f2297c9ec0cde5f341f12d7abc5d8bb237ad5c6f85b6a02f3d746c63e7a4f94916f2c6fb4bcb