Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2023 04:44
Static task
static1
Behavioral task
behavioral1
Sample
dharma_unpacked.bin.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
dharma_unpacked.bin.exe
Resource
win10v2004-20230220-en
General
-
Target
dharma_unpacked.bin.exe
-
Size
92KB
-
MD5
6ed029b9794717d305103e9eb20a8d1f
-
SHA1
956ebe054b5f286a1584b365dde59c130dd494ee
-
SHA256
a43dab9c34af5a49a2a615e86db3e2bf4c5467853dd5bd4f1a1c73619b683ab2
-
SHA512
dc080d7d7e6e69e1068212ac39e2feb19c5293d52340e9beccf897253a7281032bd4656a8fa5c4f028eed4930487fb8e7029cdd414287a119bc7f6bfbcf0c22c
-
SSDEEP
1536:mBwl+KXpsqN5vlwWYyhY9S4AOYNq9Siz/+XVgaypvbjaFJt7:Qw+asqN5aW/hLFNq9EWvajt7
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
syndicateXXX@aol.com
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
dharma_unpacked.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ConvertToImport.tiff dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Pictures\RevokeSet.tiff dharma_unpacked.bin.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dharma_unpacked.bin.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation dharma_unpacked.bin.exe -
Drops startup file 5 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta dharma_unpacked.bin.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dharma_unpacked.bin.exe dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini dharma_unpacked.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dharma_unpacked.bin.exe = "C:\\Windows\\System32\\dharma_unpacked.bin.exe" dharma_unpacked.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" dharma_unpacked.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" dharma_unpacked.bin.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Videos\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Downloads\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Libraries\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Music\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Links\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Videos\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Searches\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Documents\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Documents\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\Desktop\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Public\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini dharma_unpacked.bin.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini dharma_unpacked.bin.exe -
Drops file in System32 directory 2 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process File created C:\Windows\System32\Info.hta dharma_unpacked.bin.exe File created C:\Windows\System32\dharma_unpacked.bin.exe dharma_unpacked.bin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dharma_unpacked.bin.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\ui-strings.js.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_cs.dll.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveNoDrop32x32.gif dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\StopReproTraceIcon-glyph-e916.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-100.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\SmallTile.scale-125.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarBadge.scale-125.png dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\glib-lite.dll.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms dharma_unpacked.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-125.png dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_pattern_RHP.png dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_retina.png.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javafx_font.dll dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-125.png dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\illustrations.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\Common.ExcelServices.Resources.dll dharma_unpacked.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\axvlc.dll.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\VideoLAN\VLC\plugins\spu\liblogo_plugin.dll.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OsfInstallerConfig.xml.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\ui-strings.js dharma_unpacked.bin.exe File created C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBHW6.CHM dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-200.png dharma_unpacked.bin.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-24.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\csi.dll.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_ja.jar.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003 dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-unplated.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-oob.xrm-ms.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\plugin.js.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll dharma_unpacked.bin.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-125.png dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK dharma_unpacked.bin.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner-4x.png.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe dharma_unpacked.bin.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\trdtv2r41.xsl.id-F123741F.[syndicateXXX@aol.com].xxxxx dharma_unpacked.bin.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_altform-unplated_contrast-white.png dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\vi.pak.DATA dharma_unpacked.bin.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg dharma_unpacked.bin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 5892 vssadmin.exe 3144 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dharma_unpacked.bin.exepid process 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe 1252 dharma_unpacked.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 4760 vssvc.exe Token: SeRestorePrivilege 4760 vssvc.exe Token: SeAuditPrivilege 4760 vssvc.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
dharma_unpacked.bin.execmd.execmd.exedescription pid process target process PID 1252 wrote to memory of 3148 1252 dharma_unpacked.bin.exe cmd.exe PID 1252 wrote to memory of 3148 1252 dharma_unpacked.bin.exe cmd.exe PID 3148 wrote to memory of 4300 3148 cmd.exe mode.com PID 3148 wrote to memory of 4300 3148 cmd.exe mode.com PID 3148 wrote to memory of 3144 3148 cmd.exe vssadmin.exe PID 3148 wrote to memory of 3144 3148 cmd.exe vssadmin.exe PID 1252 wrote to memory of 5800 1252 dharma_unpacked.bin.exe cmd.exe PID 1252 wrote to memory of 5800 1252 dharma_unpacked.bin.exe cmd.exe PID 5800 wrote to memory of 5308 5800 cmd.exe mode.com PID 5800 wrote to memory of 5308 5800 cmd.exe mode.com PID 5800 wrote to memory of 5892 5800 cmd.exe vssadmin.exe PID 5800 wrote to memory of 5892 5800 cmd.exe vssadmin.exe PID 1252 wrote to memory of 5368 1252 dharma_unpacked.bin.exe mshta.exe PID 1252 wrote to memory of 5368 1252 dharma_unpacked.bin.exe mshta.exe PID 1252 wrote to memory of 6356 1252 dharma_unpacked.bin.exe mshta.exe PID 1252 wrote to memory of 6356 1252 dharma_unpacked.bin.exe mshta.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dharma_unpacked.bin.exe"C:\Users\Admin\AppData\Local\Temp\dharma_unpacked.bin.exe"1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-F123741F.[syndicateXXX@aol.com].xxxxxFilesize
2.9MB
MD5e81fa258cb87f0466e88b36e6716c526
SHA1ed0f8393859b0af77c97633e7b6b4241287ad6ef
SHA2563381f13a0c1069dc8309271c6459d0e580fa3e84eda4fa84c380b73a53193968
SHA512ffbdc00c800e72038adf4409ee4de9c6b0443a63b0e92de88d4233125644a8f04c5e8b137afe87973f4b7e0d04efd9424deb9b096c71e173a1f26d0cb574d65f
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD553eed32ff2eb72e32073e1b9b02cc436
SHA10e689b8eb9df906167b267a625f166f851574134
SHA2567d7a3653aa0e5c8fb9b34bee839d97e88dd35c0fb47a5385523cf16febd878ee
SHA5120709cfcb5c23dc905ec39f85b2daa8819000f69f1e66df269e9b4dec3aa8db6d003d81708e003d553af5be2666914c8395e118fbd430ad7203aed128c8b75e50
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
13KB
MD553eed32ff2eb72e32073e1b9b02cc436
SHA10e689b8eb9df906167b267a625f166f851574134
SHA2567d7a3653aa0e5c8fb9b34bee839d97e88dd35c0fb47a5385523cf16febd878ee
SHA5120709cfcb5c23dc905ec39f85b2daa8819000f69f1e66df269e9b4dec3aa8db6d003d81708e003d553af5be2666914c8395e118fbd430ad7203aed128c8b75e50