Overview

overview

10

Static

static

3a755e64fd...7f.exe

windows7_x64

10

3a755e64fd...7f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    30-03-2022 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a755e64fd15e52cb301ab70e1113f88ddc612535201950ee67c442b564d277f.exe

  • Size

    327KB

  • MD5

    1a9a072e890efefde3695ea530f2c5b8

  • SHA1

    8a766adb71058b94976fa1117f653e5f89d82ac9

  • SHA256

    3a755e64fd15e52cb301ab70e1113f88ddc612535201950ee67c442b564d277f

  • SHA512

    72960a69dc8f3f723f06221d59fe571c3817ac4a2abba56697160216e67e24fe88d0ad6a5349f3767c51e0661ae52357b685c274057fedf5a4fafc104412013a

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours,Tox - 1123AA3360A5AFB77D928C4CD99E9EF66EF28FCEEE1F840B93456FD9CE562B7F92204B0D8904 please download - https://tox.chat/download.html or http://pexdatax.com/ write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

https://tox.chat/download.html

http://pexdatax.com/

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a755e64fd15e52cb301ab70e1113f88ddc612535201950ee67c442b564d277f.exe
    "C:\Users\Admin\AppData\Local\Temp\3a755e64fd15e52cb301ab70e1113f88ddc612535201950ee67c442b564d277f.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:3760
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1656
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:3456
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:3476
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:3788
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:5088
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1716

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            eae631c79fdf8a8f9909a05bf667cb14

            SHA1

            8b1e015d131987605d6bcfd72191ca9f4799d0e2

            SHA256

            ac999e102b7eba076448943672a0d0c5b67c14a57dbe7136b97301f2dc416661

            SHA512

            4059ff0fee3d566260b30bd5ca7292e25f029096a52e16139d373000ae7b03fa29ddce102589bb525fc4c1cc1aabfc277caab31431c9f9e6d2269dc9b92deb83

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            eae631c79fdf8a8f9909a05bf667cb14

            SHA1

            8b1e015d131987605d6bcfd72191ca9f4799d0e2

            SHA256

            ac999e102b7eba076448943672a0d0c5b67c14a57dbe7136b97301f2dc416661

            SHA512

            4059ff0fee3d566260b30bd5ca7292e25f029096a52e16139d373000ae7b03fa29ddce102589bb525fc4c1cc1aabfc277caab31431c9f9e6d2269dc9b92deb83

            Download Submit

          • memory/520-130-0x0000000000000000-mapping.dmp

            Download

          • memory/1656-135-0x0000000000000000-mapping.dmp

            Download

          • memory/2924-131-0x0000000004860000-0x0000000004873000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2924-132-0x0000000004880000-0x0000000004899000-memory.dmp

            Filesize

            100KB

            Download

          • memory/2924-134-0x0000000000400000-0x00000000046D0000-memory.dmp

            Filesize

            66.8MB

            Download

          • memory/3376-136-0x0000000000000000-mapping.dmp

            Download

          • memory/3456-137-0x0000000000000000-mapping.dmp

            Download

          • memory/3476-138-0x0000000000000000-mapping.dmp

            Download

          • memory/3760-133-0x0000000000000000-mapping.dmp

            Download

          • memory/3788-139-0x0000000000000000-mapping.dmp

            Download

          • memory/5088-140-0x0000000000000000-mapping.dmp

            Download