Resubmissions
23-10-2023 21:58
231023-1vlrxsgc2w 1028-12-2022 20:03
221228-ys52nsbd89 1028-12-2022 19:41
221228-yej72sbd64 1028-12-2022 19:27
221228-x569tsbd43 10Analysis
-
max time kernel
256s -
max time network
257s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2022 19:41
Static task
static1
Behavioral task
behavioral1
Sample
dharma.exe
Resource
win10v2004-20220901-en
General
-
Target
dharma.exe
-
Size
677KB
-
MD5
2d4ec86793fec1e10ac8fb617b2dcdbd
-
SHA1
078df2b23e7e24f2397532f9ec2694191fd9cc20
-
SHA256
a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b
-
SHA512
1e15b4c910532ed36cf3adf605f744784224ceaa815e71588fb521f0e7b76975dc37889e6c8ac2e1c888060eda2380850c8877a801c74e222db043715719c5de
-
SSDEEP
12288:5IODa1GPYOBsDMOUaIQpGyEV3T5W241YcWEhpEdVe1/4vS1ZoYGIRUafy5LT+0w:5IO+aYxHjpYT5s1YcWEhpEdVe1/4vS1T
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
admin@stex777.com
admin@stex777.xyz
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dharma.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dharma.exe -
Drops startup file 6 IoCs
Processes:
dharma.exetaskmgr.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dharma.exe dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini dharma.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta dharma.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta taskmgr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
dharma.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dharma.exe = "C:\\Windows\\System32\\dharma.exe" dharma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" dharma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" dharma.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
dharma.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini dharma.exe File opened for modification C:\Users\Public\desktop.ini dharma.exe File opened for modification C:\Users\Public\Pictures\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Links\desktop.ini dharma.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini dharma.exe File opened for modification C:\Users\Public\Downloads\desktop.ini dharma.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini dharma.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini dharma.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Searches\desktop.ini dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini dharma.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini dharma.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini dharma.exe File opened for modification C:\Program Files (x86)\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Music\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini dharma.exe File opened for modification C:\Users\Public\Desktop\desktop.ini dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini dharma.exe File opened for modification C:\Users\Public\Videos\desktop.ini dharma.exe File opened for modification C:\Users\Public\Libraries\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Videos\desktop.ini dharma.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini dharma.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini dharma.exe File opened for modification C:\Users\Public\Music\desktop.ini dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini dharma.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini dharma.exe File opened for modification C:\Program Files\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini dharma.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini dharma.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini dharma.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini dharma.exe -
Drops file in System32 directory 2 IoCs
Processes:
dharma.exedescription ioc process File created C:\Windows\System32\dharma.exe dharma.exe File created C:\Windows\System32\Info.hta dharma.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dharma.exedescription pid process target process PID 3564 set thread context of 1804 3564 dharma.exe dharma.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dharma.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\CANYON.INF.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as80.xsl.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\ui-strings.js dharma.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ta.pak dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.resources.dll dharma.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vcruntime140_1.dll dharma.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html dharma.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-100.png dharma.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\OriginResume.Dotx.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PREVIEW.GIF dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140fra.dll dharma.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\am.pak.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as80.xsl.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-black_scale-125.png dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\ui-strings.js dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js dharma.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml dharma.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-150.png dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\MedTile.scale-200.png dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-32_altform-lightunplated.png dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon.png.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBarTasks.dll dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.scale-200.png dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_altform-unplated_contrast-white.png dharma.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js.id-A4F56274.[admin@stex777.com].money dharma.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql2000.xsl dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png dharma.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsiProvider.dll.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\XboxResourceDictionary.xaml dharma.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-125_contrast-white.png dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\Images\Home-Placeholder.png dharma.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\ui-strings.js.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_lt.json dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlConeHover.png dharma.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jsoundds.dll dharma.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-150_contrast-white.png dharma.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsuProvider.dll dharma.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.id-A4F56274.[admin@stex777.com].money dharma.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.id-A4F56274.[admin@stex777.com].money dharma.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1996 vssadmin.exe 296 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dharma.exetaskmgr.exepid process 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 4312 taskmgr.exe 4312 taskmgr.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe 4312 taskmgr.exe 1804 dharma.exe 1804 dharma.exe 1804 dharma.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exeOpenWith.exepid process 4312 taskmgr.exe 3144 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
vssvc.exetaskmgr.exedescription pid process Token: SeBackupPrivilege 396 vssvc.exe Token: SeRestorePrivilege 396 vssvc.exe Token: SeAuditPrivilege 396 vssvc.exe Token: SeDebugPrivilege 4312 taskmgr.exe Token: SeSystemProfilePrivilege 4312 taskmgr.exe Token: SeCreateGlobalPrivilege 4312 taskmgr.exe Token: 33 4312 taskmgr.exe Token: SeIncBasePriorityPrivilege 4312 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe 4312 taskmgr.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
OpenWith.exemspaint.exepid process 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 3144 OpenWith.exe 4940 mspaint.exe 4940 mspaint.exe 4940 mspaint.exe 4940 mspaint.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
dharma.exedharma.execmd.execmd.exeOpenWith.exedescription pid process target process PID 3564 wrote to memory of 1804 3564 dharma.exe dharma.exe PID 3564 wrote to memory of 1804 3564 dharma.exe dharma.exe PID 3564 wrote to memory of 1804 3564 dharma.exe dharma.exe PID 3564 wrote to memory of 1804 3564 dharma.exe dharma.exe PID 1804 wrote to memory of 4600 1804 dharma.exe cmd.exe PID 1804 wrote to memory of 4600 1804 dharma.exe cmd.exe PID 4600 wrote to memory of 4376 4600 cmd.exe mode.com PID 4600 wrote to memory of 4376 4600 cmd.exe mode.com PID 4600 wrote to memory of 1996 4600 cmd.exe vssadmin.exe PID 4600 wrote to memory of 1996 4600 cmd.exe vssadmin.exe PID 1804 wrote to memory of 3712 1804 dharma.exe cmd.exe PID 1804 wrote to memory of 3712 1804 dharma.exe cmd.exe PID 3712 wrote to memory of 2364 3712 cmd.exe mode.com PID 3712 wrote to memory of 2364 3712 cmd.exe mode.com PID 1804 wrote to memory of 2000 1804 dharma.exe mshta.exe PID 1804 wrote to memory of 2000 1804 dharma.exe mshta.exe PID 1804 wrote to memory of 3432 1804 dharma.exe mshta.exe PID 1804 wrote to memory of 3432 1804 dharma.exe mshta.exe PID 3712 wrote to memory of 296 3712 cmd.exe vssadmin.exe PID 3712 wrote to memory of 296 3712 cmd.exe vssadmin.exe PID 3144 wrote to memory of 4940 3144 OpenWith.exe mspaint.exe PID 3144 wrote to memory of 4940 3144 OpenWith.exe mspaint.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dharma.exe"C:\Users\Admin\AppData\Local\Temp\dharma.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dharma.exeC:\Users\Admin\AppData\Local\Temp\dharma.exe2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\Google Chrome.lnk.id-A4F56274.[admin@stex777.com].money"2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD5125d104225b0f251f83c458b6da4e30f
SHA170425b3a9b793a6a9544ffab0afb0e529574e8ef
SHA2565bac752ebff690977cf421cbffe5873d7e00977f1c840d1f5ef7b2876cd6eb1b
SHA5128cf7bae12597a8a33eed44c777b103fb4747230fbb72ebf2e889909cda2119db9f852c5ff486839844b60659a96d2e8b4d4fb45111b52f22b4d8c7cf50e61b2e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\dharma.exeFilesize
677KB
MD52d4ec86793fec1e10ac8fb617b2dcdbd
SHA1078df2b23e7e24f2397532f9ec2694191fd9cc20
SHA256a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b
SHA5121e15b4c910532ed36cf3adf605f744784224ceaa815e71588fb521f0e7b76975dc37889e6c8ac2e1c888060eda2380850c8877a801c74e222db043715719c5de
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idxMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lockMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD55bc82a24bcd69d33722090ca3a7ac303
SHA1b1eb04bd182ed38ff291bc70ade2fa3cfe87adb1
SHA256b20a745b06c12c6159e91c9457a49a7241d67935ed3e0b361f94328db0c7daa8
SHA512417cfdbc4db69ed748f4af00b0bf305248997f208df5e2a1e671d8355af4b93f44dfb9b032b1b0ff00419b73d732efcda747d5b4b348f788a50c2369185aff07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD5125d104225b0f251f83c458b6da4e30f
SHA170425b3a9b793a6a9544ffab0afb0e529574e8ef
SHA2565bac752ebff690977cf421cbffe5873d7e00977f1c840d1f5ef7b2876cd6eb1b
SHA5128cf7bae12597a8a33eed44c777b103fb4747230fbb72ebf2e889909cda2119db9f852c5ff486839844b60659a96d2e8b4d4fb45111b52f22b4d8c7cf50e61b2e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dharma.exeFilesize
677KB
MD52d4ec86793fec1e10ac8fb617b2dcdbd
SHA1078df2b23e7e24f2397532f9ec2694191fd9cc20
SHA256a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b
SHA5121e15b4c910532ed36cf3adf605f744784224ceaa815e71588fb521f0e7b76975dc37889e6c8ac2e1c888060eda2380850c8877a801c74e222db043715719c5de
-
C:\Users\Public\Desktop\Google Chrome.lnk.id-A4F56274.[admin@stex777.com].moneyFilesize
2KB
MD5ac9c88ff919b611d0c7a8849a80dda02
SHA1787cba66fac4170c1ac1cfdab9dd62a2b0d636f7
SHA256e2c8d62235c51a67babf22aad043b85070902ecc487418f01cbd61f67650b160
SHA512b8688fc04ec968301a3d16f7cd6120d49d21be2e416305f36f3d90b9b72e9145123c5141d48d694c03df36002c2b0df3a57b00f22c5d26f6aeafe254fe256816
-
C:\Windows\System32\dharma.exeFilesize
677KB
MD52d4ec86793fec1e10ac8fb617b2dcdbd
SHA1078df2b23e7e24f2397532f9ec2694191fd9cc20
SHA256a6ed8beb599f2aa594298076a2e8312871a2b12feb8e5d072d51335f21f85d7b
SHA5121e15b4c910532ed36cf3adf605f744784224ceaa815e71588fb521f0e7b76975dc37889e6c8ac2e1c888060eda2380850c8877a801c74e222db043715719c5de
-
memory/296-159-0x0000000000000000-mapping.dmp
-
memory/1804-134-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1804-133-0x0000000000000000-mapping.dmp
-
memory/1804-139-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1996-143-0x0000000000000000-mapping.dmp
-
memory/2000-154-0x0000000000000000-mapping.dmp
-
memory/2364-153-0x0000000000000000-mapping.dmp
-
memory/3432-156-0x0000000000000000-mapping.dmp
-
memory/3564-132-0x00000000029B0000-0x00000000029E3000-memory.dmpFilesize
204KB
-
memory/3564-141-0x00000000029B0000-0x00000000029E3000-memory.dmpFilesize
204KB
-
memory/3712-151-0x0000000000000000-mapping.dmp
-
memory/4376-142-0x0000000000000000-mapping.dmp
-
memory/4600-140-0x0000000000000000-mapping.dmp
-
memory/4940-161-0x0000000000000000-mapping.dmp