Overview

overview

10

Static

static

ddf8718ab5...79.exe

windows7_x64

10

ddf8718ab5...79.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    30-03-2022 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ddf8718ab5e3bdff7c88239fc3a69bfc1db49867301de0dd8ea02714a97ca479.exe

  • Size

    335KB

  • MD5

    00a35c46fb497c63ddad0b39f1a1c809

  • SHA1

    43b529ed3dbf4f63413a28b129946f69821ca3bd

  • SHA256

    ddf8718ab5e3bdff7c88239fc3a69bfc1db49867301de0dd8ea02714a97ca479

  • SHA512

    07481326adee08d4c237c9ba133a106a7422ce4d6ff044e710634ce2b227e387428b96d4d1c859aa354fa1664c951e9cae9361f5e032d6d2af3537cf65a66f6b

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours,Tox - 1123AA3360A5AFB77D928C4CD99E9EF66EF28FCEEE1F840B93456FD9CE562B7F92204B0D8904 please download - https://tox.chat/download.html or http://pexdatax.com/ write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
URLs

https://tox.chat/download.html

http://pexdatax.com/

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ddf8718ab5e3bdff7c88239fc3a69bfc1db49867301de0dd8ea02714a97ca479.exe
    "C:\Users\Admin\AppData\Local\Temp\ddf8718ab5e3bdff7c88239fc3a69bfc1db49867301de0dd8ea02714a97ca479.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:4516
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:5016
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4300
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:3328
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:1168
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:4848
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:4132
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3944

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            976d379b3afbbb1ac8f19e9bd3091e8d

            SHA1

            d52822cef94a6fb1a46d47d895f0b05d6a3b0a20

            SHA256

            69a9f2129e1a52c0c365a54e67cbdd84eec66ecf4030f8c56ce7733f73517ba0

            SHA512

            79439524b1affbf6774de7949bde26ec40e084a2024bfd99c1f6ca9078e25cfb93f68c9da4c890c3948f4807d9e62037820ff713093bff7adb2488674fe28cc2

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            976d379b3afbbb1ac8f19e9bd3091e8d

            SHA1

            d52822cef94a6fb1a46d47d895f0b05d6a3b0a20

            SHA256

            69a9f2129e1a52c0c365a54e67cbdd84eec66ecf4030f8c56ce7733f73517ba0

            SHA512

            79439524b1affbf6774de7949bde26ec40e084a2024bfd99c1f6ca9078e25cfb93f68c9da4c890c3948f4807d9e62037820ff713093bff7adb2488674fe28cc2

            Download Submit
          • memory/1168-142-0x0000000000000000-mapping.dmp
            Download
          • memory/1660-136-0x0000000000000000-mapping.dmp
            Download
          • memory/3328-141-0x0000000000000000-mapping.dmp
            Download
          • memory/3868-135-0x0000000006440000-0x0000000006459000-memory.dmp
            Filesize

            100KB

            Download
          • memory/3868-134-0x0000000006420000-0x0000000006432000-memory.dmp
            Filesize

            72KB

            Download
          • memory/3868-138-0x0000000000400000-0x00000000046D5000-memory.dmp
            Filesize

            66.8MB

            Download
          • memory/4132-144-0x0000000000000000-mapping.dmp
            Download
          • memory/4300-140-0x0000000000000000-mapping.dmp
            Download
          • memory/4516-137-0x0000000000000000-mapping.dmp
            Download
          • memory/4848-143-0x0000000000000000-mapping.dmp
            Download
          • memory/5016-139-0x0000000000000000-mapping.dmp
            Download