Overview

overview

10

Static

static

342413f508...84.exe

windows7_x64

10

342413f508...84.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    29-03-2022 23:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    342413f508cfe1eab5b82ce8e742e4e4280cc7e593dac7dcbdc7766826b60c84.exe

  • Size

    386KB

  • MD5

    947d681eadad9abc4b041921d836555f

  • SHA1

    28aff89ed074abdd910891079e80b8046e937d80

  • SHA256

    342413f508cfe1eab5b82ce8e742e4e4280cc7e593dac7dcbdc7766826b60c84

  • SHA512

    aff2b88b5cc1f1629c77073d4731fa0abd455b091a01bd55cb10e82bae5e8c7cb4de7a5d58d0b74140b08cf7e4e07a37a462d1a91148fe7b2200b34431146706

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours,Tox - 1123AA3360A5AFB77D928C4CD99E9EF66EF28FCEEE1F840B93456FD9CE562B7F92204B0D8904 please download - https://tox.chat/download.html or http://pexdatax.com/ write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

https://tox.chat/download.html

http://pexdatax.com/

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\342413f508cfe1eab5b82ce8e742e4e4280cc7e593dac7dcbdc7766826b60c84.exe
    "C:\Users\Admin\AppData\Local\Temp\342413f508cfe1eab5b82ce8e742e4e4280cc7e593dac7dcbdc7766826b60c84.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:1672
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:2596
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4716
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:4252
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1552
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:4620
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:1104
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3096

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            b784dd564595f07f82b1b5fbf045a6f9

            SHA1

            acb5d040e16f20e9e1063f79e1a78de48d4db3b8

            SHA256

            5a5874fd438e44d80f16215f219fc9c0208a5c7fec6f0d55c2744a8452f41cf6

            SHA512

            95e7878109f0b5171fc08449ed412f07e0c6ee8070183829370db18d40751578a6d119dfbcf5009258817085af5459fccda4e1ddb86714000ab3fcd6f1018031

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            b784dd564595f07f82b1b5fbf045a6f9

            SHA1

            acb5d040e16f20e9e1063f79e1a78de48d4db3b8

            SHA256

            5a5874fd438e44d80f16215f219fc9c0208a5c7fec6f0d55c2744a8452f41cf6

            SHA512

            95e7878109f0b5171fc08449ed412f07e0c6ee8070183829370db18d40751578a6d119dfbcf5009258817085af5459fccda4e1ddb86714000ab3fcd6f1018031

            Download Submit

          • memory/1104-139-0x0000000000000000-mapping.dmp

            Download

          • memory/1176-131-0x0000000000000000-mapping.dmp

            Download

          • memory/1552-137-0x0000000000000000-mapping.dmp

            Download

          • memory/1672-133-0x0000000000000000-mapping.dmp

            Download

          • memory/2596-134-0x0000000000000000-mapping.dmp

            Download

          • memory/3828-130-0x0000000000400000-0x0000000000465000-memory.dmp

            Filesize

            404KB

            Download

          • memory/3828-132-0x00000000021C0000-0x00000000021E4000-memory.dmp

            Filesize

            144KB

            Download

          • memory/4252-136-0x0000000000000000-mapping.dmp

            Download

          • memory/4620-138-0x0000000000000000-mapping.dmp

            Download

          • memory/4716-135-0x0000000000000000-mapping.dmp

            Download