Overview

overview

10

Static

static

575f502510...b4.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8804745188.zip

  • Size

    69KB

  • Sample

    230121-eykhdaae64

  • MD5

    5787665e570a0a7e7deaf48aa539896c

  • SHA1

    15be972b9566e275accd5498229b98f69e3430c0

  • SHA256

    0fffd49f114e859b8609a8ea234340d76286e4a8d9741ffb3e42010a6d56c368

  • SHA512

    86fd5ef743a069ebd3ac26b1871c7ab4eacaca481bb4260026566f79251fb5c1334d5227ff9d9433ec1659532e86d06fc865d188f92b380b53ca9099f54298bf

  • SSDEEP

    1536:hzDai+ghUHUDjyb3ZAp7xhO6CeaFmN3CcddjtdiuATw1ZIgVvZfx5IgzOJ:Zx+ghU0Xi32JxhiFmlbdl8TiZTrfx5DI

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All FILES ENCRYPTED "RSA1024" All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL offtitan@protonmail.com IN THE LETTER WRITE YOUR ID, YOUR ID CB74F34D IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: offtitan@cock.li YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL FREE DECRYPTION FOR PROOF You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) DECRYPTION PROCESS: When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you: 1. Decryption program. 2. Detailed instruction for decryption. 3. And individual keys for decrypting your files. !WARNING! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

offtitan@protonmail.com

offtitan@cock.li

Targets

    • Target

      575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4

    • Size

      92KB

    • MD5

      029b9543eedadb6b07be801f6813dbaa

    • SHA1

      f83b6342fb36b3b183aefd7755f29edc45915aa9

    • SHA256

      575f5025100185183eb2eff4b301f25402973b72fbd4e3ba84a7dac0b89ca4b4

    • SHA512

      0a84a5d688a3972150f57093c7acdfb4e2195d56832114d45023b626498966bb2fe813c05de39463db75016bf461017a082ea8a317ada9bcbb2b7f13699ef6de

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4A6+bBqsG/HKF5K/bDAWtppZSS:Qw+asqN5aW/hL7A6KjsopZN

    Score
    10/10
    dharmapersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Tasks