Overview

overview

10

Static

static

aa44b122b3...cd.exe

windows7_x64

10

aa44b122b3...cd.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    26-03-2022 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa44b122b3441dc53ab421247af4a06a8e19d14fd3eaab95c6cc8ea09c774acd.exe

  • Size

    334KB

  • MD5

    28f63afc9a270ba91c9833efb50f930e

  • SHA1

    9121f360f3be4e3af117dbae99bf6bc2817a2c29

  • SHA256

    aa44b122b3441dc53ab421247af4a06a8e19d14fd3eaab95c6cc8ea09c774acd

  • SHA512

    4f70ed8d7f06cc48aa99162ef312bdc1569f680f490c9a7a964561ebf43c627f363842d76be95965215ef5aa9c2e9b459625c72be78dc4ee43e273db7507a9c5

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours,Tox - 1123AA3360A5AFB77D928C4CD99E9EF66EF28FCEEE1F840B93456FD9CE562B7F92204B0D8904 please download - https://tox.chat/download.html or http://pexdatax.com/ write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

https://tox.chat/download.html

http://pexdatax.com/

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa44b122b3441dc53ab421247af4a06a8e19d14fd3eaab95c6cc8ea09c774acd.exe
    "C:\Users\Admin\AppData\Local\Temp\aa44b122b3441dc53ab421247af4a06a8e19d14fd3eaab95c6cc8ea09c774acd.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:4044
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4932
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:2452
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:5024
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:3892
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:3140
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4516
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Enumerates system info in registry
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:836
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
            1⤵
              PID:1512

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
              MD5

              0891b526a1bfdab40e62dab884fb5999

              SHA1

              89a3cc39cd3fb56b08e8470b6ffb6df965aad0c3

              SHA256

              895b8944d77989842f2753234ce86dcb593dbe921988624f91c70fb0b667514d

              SHA512

              0bc379f58b4db420c02d0a30bd6f407aa2e560f5d5c0f89f307769ed0cf74520bf6d759435fa8300891fbce66f6b087911f3358bcd80eb9e02ed06b73a88c870

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
              MD5

              0891b526a1bfdab40e62dab884fb5999

              SHA1

              89a3cc39cd3fb56b08e8470b6ffb6df965aad0c3

              SHA256

              895b8944d77989842f2753234ce86dcb593dbe921988624f91c70fb0b667514d

              SHA512

              0bc379f58b4db420c02d0a30bd6f407aa2e560f5d5c0f89f307769ed0cf74520bf6d759435fa8300891fbce66f6b087911f3358bcd80eb9e02ed06b73a88c870

              Download Submit
            • memory/2452-137-0x0000000000000000-mapping.dmp
              Download
            • memory/3008-136-0x0000000000000000-mapping.dmp
              Download
            • memory/3140-140-0x0000000000000000-mapping.dmp
              Download
            • memory/3616-130-0x0000000000000000-mapping.dmp
              Download
            • memory/3892-139-0x0000000000000000-mapping.dmp
              Download
            • memory/4044-134-0x0000000000000000-mapping.dmp
              Download
            • memory/4720-133-0x0000000000400000-0x00000000046D4000-memory.dmp
              Filesize

              66.8MB

              Download
            • memory/4720-132-0x00000000048A0000-0x00000000048B9000-memory.dmp
              Filesize

              100KB

              Download
            • memory/4720-131-0x0000000004880000-0x0000000004892000-memory.dmp
              Filesize

              72KB

              Download
            • memory/4932-135-0x0000000000000000-mapping.dmp
              Download
            • memory/5024-138-0x0000000000000000-mapping.dmp
              Download