Overview

overview

10

Static

static

3

acdef64bfc...JC.exe

windows7-x64

10

acdef64bfc...JC.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    acdef64bfc298f59ed5033ff3b8b7e36_crysis_JC.exe

  • Size

    92KB

  • Sample

    230827-smfa6sag29

  • MD5

    acdef64bfc298f59ed5033ff3b8b7e36

  • SHA1

    4db6303b746a796f216f7166f19a05a63e1d654d

  • SHA256

    f0293711a8c78a638c60cd57874b3b5db52701b7b5e3ff32f309d1f2160c48b9

  • SHA512

    6b12939ab6aa92fcee3b9523aa6bea58bce5dadf5fed94e294fd3e8539cc44860f0be0c86acca15343624367ef71bc1e3c8d7624db2328cd249b796db2fada32

  • SSDEEP

    1536:mBwl+KXpsqN5vlwWYyhY9S4A/O3DqNZogLKE+dC9AxJGUFVL:Qw+asqN5aW/hLdO3UZPKJdC9AvfL

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED ZOV Don't worry, you can return all your files! If you want to restore them, write to the mail: datukraine@tuta.io YOUR ID datukr@onionmail.org ATTENTION! We recommend you contact us directly to avoid overpaying agents Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

datukraine@tuta.io

datukr@onionmail.org

Targets

    • Target

      acdef64bfc298f59ed5033ff3b8b7e36_crysis_JC.exe

    • Size

      92KB

    • MD5

      acdef64bfc298f59ed5033ff3b8b7e36

    • SHA1

      4db6303b746a796f216f7166f19a05a63e1d654d

    • SHA256

      f0293711a8c78a638c60cd57874b3b5db52701b7b5e3ff32f309d1f2160c48b9

    • SHA512

      6b12939ab6aa92fcee3b9523aa6bea58bce5dadf5fed94e294fd3e8539cc44860f0be0c86acca15343624367ef71bc1e3c8d7624db2328cd249b796db2fada32

    • SSDEEP

      1536:mBwl+KXpsqN5vlwWYyhY9S4A/O3DqNZogLKE+dC9AxJGUFVL:Qw+asqN5aW/hLdO3UZPKJdC9AvfL

    Score
    10/10
    dharmapersistenceransomwarespywarestealer

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Renames multiple (310) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Renames multiple (482) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks