Analysis

  • max time kernel
    151s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-07-2022 15:02

General

  • Target

    9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13.exe

  • Size

    1.7MB

  • MD5

    6fccb7f6581e2519f14e858b597d8b5b

  • SHA1

    5cec2dbbf7af2c1a547bcce36deb06e8a2bc491b

  • SHA256

    9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13

  • SHA512

    2c936900e8ec067dac4a5b28ed77de2bab4a90f373e776026eee8b213cb15817fd5ff83134bd2d8c9bc5edff57b7a80d1265ed566a49b0fc4946bd8e8f6fad9b

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_ABAD1BB4 Use Tor Browser to access this address. If you have not been answered via the link within 12 hours, write to us by e-mail: admin@spacedatas.com Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

admin@spacedatas.com

URLs

http://zombietry4o3nzeh.onion/?ticket=6aWH6i3Gxp3cXPpqzl_ABAD1BB4

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13.exe
    "C:\Users\Admin\AppData\Local\Temp\9f2349c23dadb14899049f44ef4750f1b3bb2d796e84012811a3ded1ec330f13.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:1508
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4280
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:1784
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:4840
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:1056
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:1104
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3144

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Defense Evasion

          File Deletion

          2
          T1107

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Collection

          Data from Local System

          1
          T1005

          Impact

          Inhibit System Recovery

          2
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            c4446a88431704d6ebc5f343515e2e4f

            SHA1

            3c86ebf26cb5da933e47d2d42d94eab80c79b824

            SHA256

            a0b626234ad67e13a336344700bb0ef84978137c2c80000af0cc03d94e8aaad8

            SHA512

            6c8812f4a141491ce818a135a7e1f0a36d80b44cd7cf4772184a3b72ab99ae8354f7cdd91a21cde1f6b43ccd01f289c0de31441bd9899b9337e97b88323b76c1

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            c4446a88431704d6ebc5f343515e2e4f

            SHA1

            3c86ebf26cb5da933e47d2d42d94eab80c79b824

            SHA256

            a0b626234ad67e13a336344700bb0ef84978137c2c80000af0cc03d94e8aaad8

            SHA512

            6c8812f4a141491ce818a135a7e1f0a36d80b44cd7cf4772184a3b72ab99ae8354f7cdd91a21cde1f6b43ccd01f289c0de31441bd9899b9337e97b88323b76c1

          • memory/1052-133-0x0000000000000000-mapping.dmp
          • memory/1056-140-0x0000000000000000-mapping.dmp
          • memory/1104-141-0x0000000000000000-mapping.dmp
          • memory/1508-134-0x0000000000000000-mapping.dmp
          • memory/1784-138-0x0000000000000000-mapping.dmp
          • memory/3480-136-0x0000000002D80000-0x0000000002DB2000-memory.dmp
            Filesize

            200KB

          • memory/3480-130-0x0000000000400000-0x00000000005BE000-memory.dmp
            Filesize

            1.7MB

          • memory/3480-132-0x0000000000400000-0x00000000005BE000-memory.dmp
            Filesize

            1.7MB

          • memory/3480-131-0x0000000002D80000-0x0000000002DB2000-memory.dmp
            Filesize

            200KB

          • memory/4068-137-0x0000000000000000-mapping.dmp
          • memory/4280-135-0x0000000000000000-mapping.dmp
          • memory/4840-139-0x0000000000000000-mapping.dmp