Analysis
-
max time kernel
150s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-03-2023 04:44
Static task
static1
Behavioral task
behavioral1
Sample
dharma_unpacked.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
dharma_unpacked.bin.exe
Resource
win10v2004-20230220-en
General
-
Target
dharma_unpacked.bin.exe
-
Size
92KB
-
MD5
6ed029b9794717d305103e9eb20a8d1f
-
SHA1
956ebe054b5f286a1584b365dde59c130dd494ee
-
SHA256
a43dab9c34af5a49a2a615e86db3e2bf4c5467853dd5bd4f1a1c73619b683ab2
-
SHA512
dc080d7d7e6e69e1068212ac39e2feb19c5293d52340e9beccf897253a7281032bd4656a8fa5c4f028eed4930487fb8e7029cdd414287a119bc7f6bfbcf0c22c
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4AOYNq9Siz/+XVgaypvbjaFJt7:Qw+asqN5aW/hLFNq9EWvajt7
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
syndicateXXX@aol.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
dharma_unpacked.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RemoveFind.tiff dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Pictures\BackupUse.tiff dharma_unpacked.bin.exe -
Drops startup file 5 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dharma_unpacked.bin.exe dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini dharma_unpacked.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta dharma_unpacked.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dharma_unpacked.bin.exe = "C:\\Windows\\System32\\dharma_unpacked.bin.exe" dharma_unpacked.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" dharma_unpacked.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" dharma_unpacked.bin.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Pictures\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8KR51HKN\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Music\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1914912747-3343861975-731272777-1000\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Videos\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Searches\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Documents\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8J80AB2T\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Music\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZJ9QW42R\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E01563NX\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Desktop\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UVP2VCE7\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZA6WRM0K\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0P7N10G6\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini dharma_unpacked.bin.exe -
Drops file in System32 directory 2 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process File created C:\Windows\System32\Info.hta dharma_unpacked.bin.exe File created C:\Windows\System32\dharma_unpacked.bin.exe dharma_unpacked.bin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\MSGR3ES.DLL.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\VisioCustom.propdesc.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\travel.png dharma_unpacked.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\back.png dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\jhall-2.0_05.jar dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Easter dharma_unpacked.bin.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DBGHELP.DLL dharma_unpacked.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4.ssl_1.0.0.v20140827-1444.jar.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153093.WMF dharma_unpacked.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libudp_plugin.dll dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml dharma_unpacked.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSVCR71.DLL.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107158.WMF.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\THMBNAIL.PNG.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\PAB.SAM dharma_unpacked.bin.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\RECOVR32.CNV.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21548_.GIF dharma_unpacked.bin.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sk.dll.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15020_.GIF.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_RGB_PAL.wmv dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_ja.jar.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Init.xsn dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SEQCHK10.DLL dharma_unpacked.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar dharma_unpacked.bin.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Mozilla Firefox\nssckbi.dll.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGLOGO.XML.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187835.WMF dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WHIRL1.WMF dharma_unpacked.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\HEADER.GIF.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPISHELLR.DLL.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_zh_4.4.0.v20140623020002.jar.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107342.WMF.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EAST_01.MID.id-AFE99EFB.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1768 vssadmin.exe 2264 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dharma_unpacked.bin.exepid process 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe 1964 dharma_unpacked.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1228 vssvc.exe Token: SeRestorePrivilege 1228 vssvc.exe Token: SeAuditPrivilege 1228 vssvc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
dharma_unpacked.bin.execmd.execmd.exedescription pid process target process PID 1964 wrote to memory of 2032 1964 dharma_unpacked.bin.exe cmd.exe PID 1964 wrote to memory of 2032 1964 dharma_unpacked.bin.exe cmd.exe PID 1964 wrote to memory of 2032 1964 dharma_unpacked.bin.exe cmd.exe PID 1964 wrote to memory of 2032 1964 dharma_unpacked.bin.exe cmd.exe PID 2032 wrote to memory of 1724 2032 cmd.exe mode.com PID 2032 wrote to memory of 1724 2032 cmd.exe mode.com PID 2032 wrote to memory of 1724 2032 cmd.exe mode.com PID 2032 wrote to memory of 1768 2032 cmd.exe vssadmin.exe PID 2032 wrote to memory of 1768 2032 cmd.exe vssadmin.exe PID 2032 wrote to memory of 1768 2032 cmd.exe vssadmin.exe PID 1964 wrote to memory of 612 1964 dharma_unpacked.bin.exe cmd.exe PID 1964 wrote to memory of 612 1964 dharma_unpacked.bin.exe cmd.exe PID 1964 wrote to memory of 612 1964 dharma_unpacked.bin.exe cmd.exe PID 1964 wrote to memory of 612 1964 dharma_unpacked.bin.exe cmd.exe PID 612 wrote to memory of 2596 612 cmd.exe mode.com PID 612 wrote to memory of 2596 612 cmd.exe mode.com PID 612 wrote to memory of 2596 612 cmd.exe mode.com PID 612 wrote to memory of 2264 612 cmd.exe vssadmin.exe PID 612 wrote to memory of 2264 612 cmd.exe vssadmin.exe PID 612 wrote to memory of 2264 612 cmd.exe vssadmin.exe PID 1964 wrote to memory of 2148 1964 dharma_unpacked.bin.exe mshta.exe PID 1964 wrote to memory of 2148 1964 dharma_unpacked.bin.exe mshta.exe PID 1964 wrote to memory of 2148 1964 dharma_unpacked.bin.exe mshta.exe PID 1964 wrote to memory of 2148 1964 dharma_unpacked.bin.exe mshta.exe PID 1964 wrote to memory of 2476 1964 dharma_unpacked.bin.exe mshta.exe PID 1964 wrote to memory of 2476 1964 dharma_unpacked.bin.exe mshta.exe PID 1964 wrote to memory of 2476 1964 dharma_unpacked.bin.exe mshta.exe PID 1964 wrote to memory of 2476 1964 dharma_unpacked.bin.exe mshta.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dharma_unpacked.bin.exe"C:\Users\Admin\AppData\Local\Temp\dharma_unpacked.bin.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id-AFE99EFB.[syndicateXXX@aol.com].xxxxxFilesize
23.5MB
MD5bd6babe3dd99c9edcf163789e6bf2d9d
SHA1531c7fbc2cd759f8ef3157a9110a5d19328ec4ec
SHA25662122e3d77fe6059b5803d56bc4b2053a9e58f1d59a9a66bc76cb2fa7ca00cdb
SHA5124687f4fcf90b4246df9e7fca1f0ece356c17608dfd234eec57fd2a04d07c3d8e0b3d6dde41c00d520af228fd7220e423f351ec2f4515fb54a021dd181e27ca39
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD5ffd261175c5f065087e8ba64f371ca1b
SHA178a913a8f389b1a4d36b9aa112252718d34b545a
SHA2569e013dba28297281d2aabffddfeb5d7ec49fe5865344bc1958ae3557423c783f
SHA512de93b74961cd1fc24f0e74b7781bdbad7462c0c3afa0a54fc2b1dcd1acd9e791fea4db750b162047567da935b2d28b3af9a93d3ef3794b0219ba9bba1db285b7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD5ffd261175c5f065087e8ba64f371ca1b
SHA178a913a8f389b1a4d36b9aa112252718d34b545a
SHA2569e013dba28297281d2aabffddfeb5d7ec49fe5865344bc1958ae3557423c783f
SHA512de93b74961cd1fc24f0e74b7781bdbad7462c0c3afa0a54fc2b1dcd1acd9e791fea4db750b162047567da935b2d28b3af9a93d3ef3794b0219ba9bba1db285b7
-
memory/2148-20174-0x000007FFFFF80000-0x000007FFFFF90000-memory.dmpFilesize
64KB