Overview

overview

10

Static

static

46d4b4601a...dc.exe

windows7_x64

10

46d4b4601a...dc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-06-2022 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46d4b4601a37c1ba3f7fa4d8bde1494d75bb28cbd2dc90b539a39e31aebac3dc.exe

  • Size

    428KB

  • MD5

    4389b3e3877ddf0e178534ca8d7226ad

  • SHA1

    d07e43eb9d2c33de333050a4b8cbbd6756f5c931

  • SHA256

    46d4b4601a37c1ba3f7fa4d8bde1494d75bb28cbd2dc90b539a39e31aebac3dc

  • SHA512

    ab27b6973fce21744a7e05cddbc0aa831baf715725b51469563280dadf08597eb085e8256b1f18159c5fb8445ce504434cbbc8610a328ef6dfd074a3768eeaab

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Write this ID in the title of your message E3E187FD In case of no answer in 24 hours write us to theese e-mails: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46d4b4601a37c1ba3f7fa4d8bde1494d75bb28cbd2dc90b539a39e31aebac3dc.exe
    "C:\Users\Admin\AppData\Local\Temp\46d4b4601a37c1ba3f7fa4d8bde1494d75bb28cbd2dc90b539a39e31aebac3dc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Users\Admin\AppData\Local\Temp\46d4b4601a37c1ba3f7fa4d8bde1494d75bb28cbd2dc90b539a39e31aebac3dc.exe
      C:\Users\Admin\AppData\Local\Temp\46d4b4601a37c1ba3f7fa4d8bde1494d75bb28cbd2dc90b539a39e31aebac3dc.exe
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1984
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          4⤵
            PID:1768
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:640
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Windows\system32\mode.com
            mode con cp select=1251
            4⤵
              PID:1980
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:2036
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            3⤵
            • Modifies Internet Explorer settings
            PID:1504
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            3⤵
            • Modifies Internet Explorer settings
            PID:1408
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:272

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        Filesize

        13KB

        MD5

        bc7ce3f306739b69eaf36851d8a8debd

        SHA1

        01806c7cc5d8ffabdbc6a36ee5ea06355ded0f58

        SHA256

        301b77f6c2dc69c9f1b29cb511b9c73fc28c9925ee304880dad98e240a1e13a6

        SHA512

        fce3ded93f53cb008eed81752449c9f352b5ded36b2e570a30c91e0d3a8092a9f450dc1f4af5538e8c6d73b284a9bd572398d2908e19ad97270f7c8adec2164e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\F854.tmp
        Filesize

        256KB

        MD5

        cc99ee769ee1674e0ec84291aa595f61

        SHA1

        983a89139dbb002cbcbb4186dfa214dab11ca4b9

        SHA256

        9fceb7920cf67c69a24ec6d17cfffaeb434660963dd5b84798e17e8c6b32c58c

        SHA512

        f415245133e9e42f523d0a17dc1425515905337b90f9eddc2edb2f17613129a7bb2fc31d99cee8c9349f41be7f402cd5ffba91382e1e99344fd0ef3740896ca5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SortedData.txt
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
        Filesize

        13KB

        MD5

        bc7ce3f306739b69eaf36851d8a8debd

        SHA1

        01806c7cc5d8ffabdbc6a36ee5ea06355ded0f58

        SHA256

        301b77f6c2dc69c9f1b29cb511b9c73fc28c9925ee304880dad98e240a1e13a6

        SHA512

        fce3ded93f53cb008eed81752449c9f352b5ded36b2e570a30c91e0d3a8092a9f450dc1f4af5538e8c6d73b284a9bd572398d2908e19ad97270f7c8adec2164e

        Download Submit

      • memory/640-65-0x0000000000000000-mapping.dmp

        Download

      • memory/952-68-0x0000000000000000-mapping.dmp

        Download

      • memory/1408-72-0x0000000000000000-mapping.dmp

        Download

      • memory/1504-71-0x0000000000000000-mapping.dmp

        Download

      • memory/1504-73-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1504-54-0x00000000002A0000-0x00000000002D3000-memory.dmp

        Filesize

        204KB

        Download

      • memory/1768-64-0x0000000000000000-mapping.dmp

        Download

      • memory/1908-62-0x0000000075271000-0x0000000075273000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1908-61-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1908-60-0x000000000040A9D0-mapping.dmp

        Download

      • memory/1908-55-0x0000000000400000-0x0000000000419000-memory.dmp

        Filesize

        100KB

        Download

      • memory/1980-69-0x0000000000000000-mapping.dmp

        Download

      • memory/1984-63-0x0000000000000000-mapping.dmp

        Download

      • memory/2036-70-0x0000000000000000-mapping.dmp

        Download