Overview

overview

10

Static

static

edc04c29fc...c0.exe

windows7_x64

10

edc04c29fc...c0.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    27-03-2022 21:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edc04c29fc92b8a1ef8e47ed9935d54d4d8b93c3d7ab3893e8da749bcc418ac0.exe

  • Size

    332KB

  • MD5

    cdeb26fdda31ec0b91549dd7066be08a

  • SHA1

    b6015d8c1ecfaa862b6208e5b516e8369a167b49

  • SHA256

    edc04c29fc92b8a1ef8e47ed9935d54d4d8b93c3d7ab3893e8da749bcc418ac0

  • SHA512

    4f36908b1e90662312c7397cb86aac9c5a2270090573ae2e14069f31cd09f0a6b4de65fde472eca25e509997975753e6c9e9ce6f169d70a95d0b033d530f78cb

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours,Tox - 1123AA3360A5AFB77D928C4CD99E9EF66EF28FCEEE1F840B93456FD9CE562B7F92204B0D8904 please download - https://tox.chat/download.html or http://pexdatax.com/ write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

https://tox.chat/download.html

http://pexdatax.com/

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\edc04c29fc92b8a1ef8e47ed9935d54d4d8b93c3d7ab3893e8da749bcc418ac0.exe
    "C:\Users\Admin\AppData\Local\Temp\edc04c29fc92b8a1ef8e47ed9935d54d4d8b93c3d7ab3893e8da749bcc418ac0.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4184
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:4688
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4176
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1372
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:3968
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:2208
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:2484
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:4892
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4608

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            54b2baf62811bcf2ce6afe78b2530fc5

            SHA1

            309a051e19ba3121ddeaa63e4e52d075ecdb0a53

            SHA256

            63684fcb8691c898a05feb3286a8a8471ea0e584af839a85eb02a12618790d9a

            SHA512

            cba95a46db10d6b978e778c589ca3dc47e9dc9ed9d0fd195d02902ef00a511f5f8d6a3935717d611ea7c0bd1ebda5ab2d71289d9e5e34a1caf62f9e650d12470

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            54b2baf62811bcf2ce6afe78b2530fc5

            SHA1

            309a051e19ba3121ddeaa63e4e52d075ecdb0a53

            SHA256

            63684fcb8691c898a05feb3286a8a8471ea0e584af839a85eb02a12618790d9a

            SHA512

            cba95a46db10d6b978e778c589ca3dc47e9dc9ed9d0fd195d02902ef00a511f5f8d6a3935717d611ea7c0bd1ebda5ab2d71289d9e5e34a1caf62f9e650d12470

            Download Submit
          • memory/1372-139-0x0000000000000000-mapping.dmp
            Download
          • memory/2208-141-0x0000000000000000-mapping.dmp
            Download
          • memory/2484-142-0x0000000000000000-mapping.dmp
            Download
          • memory/2920-136-0x0000000000400000-0x00000000004E6000-memory.dmp
            Filesize

            920KB

            Download
          • memory/2920-135-0x0000000002240000-0x0000000002259000-memory.dmp
            Filesize

            100KB

            Download
          • memory/2920-134-0x0000000002220000-0x0000000002232000-memory.dmp
            Filesize

            72KB

            Download
          • memory/3968-140-0x0000000000000000-mapping.dmp
            Download
          • memory/4176-138-0x0000000000000000-mapping.dmp
            Download
          • memory/4184-133-0x0000000000000000-mapping.dmp
            Download
          • memory/4688-137-0x0000000000000000-mapping.dmp
            Download
          • memory/4892-143-0x0000000000000000-mapping.dmp
            Download