Overview

overview

10

Static

static

92c65e95b5...7e.exe

windows7-x64

10

92c65e95b5...7e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    204s
  • max time network
    66s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2022 04:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    92c65e95b508ffacd2d7a36957599eb2d930a0d1a8b76a5c4551ee6e9d4da67e.exe

  • Size

    92KB

  • MD5

    8ce606be5e21897d0c2c27c9cc403d37

  • SHA1

    35282d2247a0ab9840aa4e709faf4c1766c329cd

  • SHA256

    92c65e95b508ffacd2d7a36957599eb2d930a0d1a8b76a5c4551ee6e9d4da67e

  • SHA512

    1fec16d69e41833cefe39ee4976f4da1946d18d24ff5e2a0bc86d1b897ac78f38668fe7702997ef84f8f30c5a8d2fad847b1f66e86ee9fda7e13ed53d1cec51b

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4AquHHE1ef4BtydBESCU6ZRUBrIXCRm+vA:Qw+asqN5aW/hLRHka0ydBESkH9XUmiA

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 12 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\92c65e95b508ffacd2d7a36957599eb2d930a0d1a8b76a5c4551ee6e9d4da67e.exe
    "C:\Users\Admin\AppData\Local\Temp\92c65e95b508ffacd2d7a36957599eb2d930a0d1a8b76a5c4551ee6e9d4da67e.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:1780
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1708
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:568

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/384-54-0x0000000074C91000-0x0000000074C93000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1708-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1780-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1972-55-0x0000000000000000-mapping.dmp
      Download