Overview

overview

10

Static

static

1

payload.exe

windows7-x64

10

payload.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2023 16:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payload.exe

  • Size

    92KB

  • MD5

    a0dd1dfbac4b2aaed94b2065a9c9f30c

  • SHA1

    b797000407eb333dc80777dd088204179b62fb5c

  • SHA256

    0cbb472b555d4cab454948ba900675db48b120afaedf246a14d87d970b233a43

  • SHA512

    13949bcbd0a6d7efee4e466f9f8818bd4b0643f8bc1116cd302b9b72808dbe018e30aa36d1edd4474ebf590d5d29438247f391988b6b2b5a5188d79a47ae1229

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4AQp27xRgjGri0wEeKirLWP6d7cH:Qw+asqN5aW/hL+pwl2RsivPd

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email [email protected] YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: [email protected] Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\payload.exe
    "C:\Users\Admin\AppData\Local\Temp\payload.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:940
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1280
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:4948
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:2964
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:8532
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:452
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3704

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-CBE837E3.[[email protected]].ccd
            Filesize

            2.9MB

            MD5

            c63ffc757c7168dea1fc5241d4316358

            SHA1

            d54abae1f14e5ce889e3e3031734ec7bcbb61f96

            SHA256

            9d0244efd16f778c56f818d404ec7a281e5f788b8f5b4f56ae77095e9ed35829

            SHA512

            97b082596f533c63b594205528e0b92876ec4a72a50b8e4c305e6ac6192aa03ab868cd858db6b217396aea48f6446b997f1e05dc8a0953b49c0e6ef55fa84992

            Download Submit

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            a836a5e1917232c1963573353a9f5135

            SHA1

            33602b8af1179cd898b39a51cded956dbcca117b

            SHA256

            bcd7870326f0b7cd9b83346f89da6c82e036d38d8d917bc8b6c9e62a6e62a9f7

            SHA512

            2f8b2ea7425439875ed19b170a1992aab5b3e747e5de3d59a87ded577840c6bcd043e76fe7648c4d43789eeca1e5a8bd5e6897aa7c3eada1a23057b2bf498778

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
            Filesize

            7KB

            MD5

            a836a5e1917232c1963573353a9f5135

            SHA1

            33602b8af1179cd898b39a51cded956dbcca117b

            SHA256

            bcd7870326f0b7cd9b83346f89da6c82e036d38d8d917bc8b6c9e62a6e62a9f7

            SHA512

            2f8b2ea7425439875ed19b170a1992aab5b3e747e5de3d59a87ded577840c6bcd043e76fe7648c4d43789eeca1e5a8bd5e6897aa7c3eada1a23057b2bf498778

            Download Submit